[
https://issues.apache.org/jira/browse/TAPESTRY-1397?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jesse Kuhnert updated TAPESTRY-1397:
------------------------------------
Fix Version/s: 4.2
> Secure integrated JSON functionality from JavaScript Hijacking
> --------------------------------------------------------------
>
> Key: TAPESTRY-1397
> URL: https://issues.apache.org/jira/browse/TAPESTRY-1397
> Project: Tapestry
> Issue Type: Task
> Components: JavaScript
> Affects Versions: 4.1.2, 4.2
> Reporter: Greg Woolsey
> Fix For: 4.2
>
>
> See
> http://www.fortifysoftware.com/servlet/downloads/public/JavaScript_Hijacking.pdf
>
> for details and simple solution options.
> The security document indicates the Dojo project is already looking into the
> issue, so some coordination is probably in order, but I wanted to add an
> issue to track progress and thinking.
> The reccomendation to include the session cookie if available in all JSON
> requests, and validate it on the server, is something Tapestry could
> incorporate easily. If there is a JSESSIONID cookie on the page generating
> the request, use it, otherwise send a "no-session" value. The server would
> then check to see if there really was no session, or if the parameter matched
> the current request's sesison.
> Also, the client-side suggestion of munging the response JS so it needs
> modification before execution is a good one. This is probably where Dojo
> changes would fit in. Personally, I like the infinite while loop suggestion,
> but that's just spite ;-)
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
