[
https://issues.apache.org/jira/browse/MESOS-5918?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16250447#comment-16250447
]
Alexander Rojas commented on MESOS-5918:
----------------------------------------
For backwards compatibility i think it will be a while before we can completely
remove the {{jsonp}} parameter from our codebase, however that doesn't mean we
cannot mitigate the problem of the possible attacks by properly treating the
{{jsonp}} parameter.
As it is currently implemented, we just return whatever value was given in the
parameter, e.g.:
{code}
return OK(_flags(), request.url.query.get("jsonp"));
{code}
But we should probably parse that {{jsonp}} is just a JS identifier. Apparently
just Internet Explorer up to version 11 is vulnerable to this attack.
> Replace jsonp with a more secure alternative
> --------------------------------------------
>
> Key: MESOS-5918
> URL: https://issues.apache.org/jira/browse/MESOS-5918
> Project: Mesos
> Issue Type: Improvement
> Components: webui
> Reporter: Yan Xu
>
> We currently use the {{jsonp}} technique to bypass CORS check. This practice
> has many security concerns (see discussions on MESOS-5911) so we should
> replace it with a better alternative.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
