Hi all,
Currently, RPC Servlet entry, DataServiceServlet and JsonRpcServlet support a callback parameter which is added in front of a JSON response, turning the JSON into JSONP. An attacker can access this by adding a script tag with a source that links to these servlet entries on his page, when the script is loaded it automatically executes the function specified in the callback parameter and that function can for instance send the data to the attacker website. I've opened JIRA 1837 for this issue, and the proposed an improvement to extract a setting so application can disable JSONP feature. https://issues.apache.org/jira/browse/SHINDIG-1837 While taking further look into Shindig, seems Shindig no longer uses this support and since JSONP opens a security hole (defeats the browser's protection against XSS), I would prefer to simply remove it rather than introduce yet another configuration item. Anyone currently dependent on this support? Thanks Best Regards Marshall Shi(Shi Wei)
