But you can only make calls to these entries if you are authenticated with OAuth or security token. Assuming you disabled anon request from external user agent.
Could give example of use cases about this case? - Henry On Thu, Aug 9, 2012 at 8:43 PM, Wei CSDL Shi <[email protected]> wrote: > > > Hi all, > > Currently, RPC Servlet entry, DataServiceServlet and JsonRpcServlet support > a callback parameter which is added in front of a JSON response, turning > the JSON into JSONP. An attacker can access this by adding a script tag > with a source that links to these servlet entries on his page, when the > script is loaded it automatically executes the function specified in the > callback parameter and that function can for instance send the data to the > attacker website. > > I've opened JIRA 1837 for this issue, and the proposed an improvement to > extract a setting so application can disable JSONP feature. > > https://issues.apache.org/jira/browse/SHINDIG-1837 > > While taking further look into Shindig, seems Shindig no longer uses this > support and since JSONP opens a security hole (defeats the browser's > protection against XSS), I would prefer to simply remove it rather than > introduce yet another configuration item. > > Anyone currently dependent on this support? > > Thanks > Best Regards > > Marshall Shi(Shi Wei)
