tapestry-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Greg Woolsey (JIRA)" <...@tapestry.apache.org>
Subject [jira] Created: (TAPESTRY-1397) Secure integrated JSON functionality from JavaScript Hijacking
Date Tue, 03 Apr 2007 18:38:32 GMT
Secure integrated JSON functionality from JavaScript Hijacking

                 Key: TAPESTRY-1397
                 URL: https://issues.apache.org/jira/browse/TAPESTRY-1397
             Project: Tapestry
          Issue Type: Task
          Components: JavaScript
    Affects Versions: 4.1.2, 4.2
            Reporter: Greg Woolsey



for details and simple solution options.

The security document indicates the Dojo project is already looking into the issue, so some
coordination is probably in order, but I wanted to add an issue to track progress and thinking.

The reccomendation to include the session cookie if available in all JSON requests, and validate
it on the server, is something Tapestry could incorporate easily.  If there is a JSESSIONID
cookie on the page generating the request, use it, otherwise send a "no-session" value.  The
server would then check to see if there really was no session, or if the parameter matched
the current request's sesison.

Also, the client-side suggestion of munging the response JS so it needs modification before
execution is a good one.  This is probably where Dojo changes would fit in.  Personally, I
like the infinite while loop suggestion, but that's just spite ;-)

This message is automatically generated by JIRA.
You can reply to this email to add a comment to the issue online.

To unsubscribe, e-mail: dev-unsubscribe@tapestry.apache.org
For additional commands, e-mail: dev-help@tapestry.apache.org

View raw message