I think you miss the point ... our container has this closed down, but it is a security hole for each container to close AND Shindig doesn't use it. Would be far better for any container that wanted to support JSONP access to add it rather than the other way around.
Rich Thompson From: Bastian Hofmann <[email protected]> To: [email protected], Date: 08/17/2012 11:22 AM Subject: Re: removing JSONP support in Shindig Hi, JSONP is perfectly fine if you are not using a cookie based authentication but OAuth or security token. Same as CORS. These two methods (combined with OAuth2 User Agent Flow) are basically the only sane ways to access a remote API from a JavaScript app. In your case something seems wrong in your setup. Cheers Bastian On Fri, Aug 10, 2012 at 7:49 AM, Henry Saputra <[email protected]>wrote: > Hmmm access to > > <host>/rest > > should be protected by OAuth or security token. > > The ApiServlet should throw 403 error > > - Henry > > On Thu, Aug 9, 2012 at 10:09 PM, Wei CSDL Shi <[email protected]> wrote: > > > Login to the application, load a test HTML file as below. It will show > > alert popups with the leaked information, in this case the name of the > > logged in person and their email address. > > > > ----- test.html --- > > <html> > > <body> > > <script> > > function dru(a) { > > // for (i in a) { alert(i);} > > // alert(a); > > } > > > > function dru1(a) { > > alert(a.entry.displayName); > > alert(a.entry.emails[0].value); > > // for (i in a.entry) { alert("" + i + ":" + a.entry[i]);} > > // alert(a); > > } > > </script> > > <script type="text/javascript" > > src=" > > > https://XXXXXhost/rest/activitystreams/@me/@actions/@all?format=json&callback=dru > > "> > > </script> > > <script type="text/javascript" > > src="https://XXXXhost/rest/people/@me/@self?callback=dru1";> > > </script> > > </body> > > </html> > > > > > > Thanks > > Best Regards > > > > Marshall Shi(Shi Wei) > > > > [image: Inactive hide details for Henry Saputra ---2012-08-10 > > 12:53:04---But you can only make calls to these entries if you are > authen]Henry > > Saputra ---2012-08-10 12:53:04---But you can only make calls to these > > entries if you are authenticated with OAuth or security token. > > > > From: Henry Saputra <[email protected]> > > To: [email protected], > > Date: 2012-08-10 12:53 > > Subject: Re: removing JSONP support in Shindig > > ------------------------------ > > > > > > > > But you can only make calls to these entries if you are authenticated > > with OAuth or security token. Assuming you disabled anon request from > > external user agent. > > > > Could give example of use cases about this case? > > > > - Henry > > > > On Thu, Aug 9, 2012 at 8:43 PM, Wei CSDL Shi <[email protected]> > wrote: > > > > > > > > > Hi all, > > > > > > Currently, RPC Servlet entry, DataServiceServlet and JsonRpcServlet > > support > > > a callback parameter which is added in front of a JSON response, > turning > > > the JSON into JSONP. An attacker can access this by adding a script tag > > > with a source that links to these servlet entries on his page, when the > > > script is loaded it automatically executes the function specified in > the > > > callback parameter and that function can for instance send the data to > > the > > > attacker website. > > > > > > I've opened JIRA 1837 for this issue, and the proposed an improvement > to > > > extract a setting so application can disable JSONP feature. > > > > > > https://issues.apache.org/jira/browse/SHINDIG-1837 > > > > > > While taking further look into Shindig, seems Shindig no longer uses > this > > > support and since JSONP opens a security hole (defeats the browser's > > > protection against XSS), I would prefer to simply remove it rather than > > > introduce yet another configuration item. > > > > > > Anyone currently dependent on this support? > > > > > > Thanks > > > Best Regards > > > > > > Marshall Shi(Shi Wei) > > > > > > >
