Return-Path: Delivered-To: apmail-tapestry-dev-archive@www.apache.org Received: (qmail 12270 invoked from network); 3 Apr 2007 18:38:55 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 3 Apr 2007 18:38:55 -0000 Received: (qmail 12464 invoked by uid 500); 3 Apr 2007 18:39:00 -0000 Delivered-To: apmail-tapestry-dev-archive@tapestry.apache.org Received: (qmail 12423 invoked by uid 500); 3 Apr 2007 18:39:00 -0000 Mailing-List: contact dev-help@tapestry.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tapestry development" Delivered-To: mailing list dev@tapestry.apache.org Received: (qmail 12411 invoked by uid 500); 3 Apr 2007 18:39:00 -0000 Delivered-To: apmail-jakarta-tapestry-dev@jakarta.apache.org Received: (qmail 12408 invoked by uid 99); 3 Apr 2007 18:39:00 -0000 Received: from herse.apache.org (HELO herse.apache.org) (140.211.11.133) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 03 Apr 2007 11:39:00 -0700 X-ASF-Spam-Status: No, hits=-100.0 required=10.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.4] (HELO brutus.apache.org) (140.211.11.4) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 03 Apr 2007 11:38:52 -0700 Received: from brutus (localhost [127.0.0.1]) by brutus.apache.org (Postfix) with ESMTP id 3EAB3714045 for ; Tue, 3 Apr 2007 11:38:32 -0700 (PDT) Message-ID: <8553763.1175625512236.JavaMail.jira@brutus> Date: Tue, 3 Apr 2007 11:38:32 -0700 (PDT) From: "Greg Woolsey (JIRA)" To: tapestry-dev@jakarta.apache.org Subject: [jira] Created: (TAPESTRY-1397) Secure integrated JSON functionality from JavaScript Hijacking MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org Secure integrated JSON functionality from JavaScript Hijacking -------------------------------------------------------------- Key: TAPESTRY-1397 URL: https://issues.apache.org/jira/browse/TAPESTRY-1397 Project: Tapestry Issue Type: Task Components: JavaScript Affects Versions: 4.1.2, 4.2 Reporter: Greg Woolsey See http://www.fortifysoftware.com/servlet/downloads/public/JavaScript_Hijacking.pdf for details and simple solution options. The security document indicates the Dojo project is already looking into the issue, so some coordination is probably in order, but I wanted to add an issue to track progress and thinking. The reccomendation to include the session cookie if available in all JSON requests, and validate it on the server, is something Tapestry could incorporate easily. If there is a JSESSIONID cookie on the page generating the request, use it, otherwise send a "no-session" value. The server would then check to see if there really was no session, or if the parameter matched the current request's sesison. Also, the client-side suggestion of munging the response JS so it needs modification before execution is a good one. This is probably where Dojo changes would fit in. Personally, I like the infinite while loop suggestion, but that's just spite ;-) -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscribe@tapestry.apache.org For additional commands, e-mail: dev-help@tapestry.apache.org