Opened 12 years ago

Closed 12 years ago

Last modified 12 years ago

#2656 closed enhancement (fixed)

implement a text/json-comment-filtered mimetype to allow servers to cooperate in avoiding "JavaScript hijacking" attacks

Reported by: alex Owned by: alex
Priority: high Milestone:
Component: IO Version: 0.4.2
Keywords: Cc:
Blocked By: Blocking:

Description

enhance our default text/json handling w/ an alternate mimetype (text/json-comment-filtered). Merge into the 0.4.x branch.

Change History (8)

comment:1 Changed 12 years ago by alex

(In [7811]) adding a text/json-comment-filtered type to the IO system. Refs #2656

comment:2 Changed 12 years ago by guest

This change has the side effect of outputing a message : "please consider using a mimetype of text/json-comment-filtered to avoid potential security issues with JSON endpoints" on the console when using the default dp : incrementalComboBoxDataProvider (mimetype is hard-coded in line 69 of ComboBox?.js)

comment:3 Changed 12 years ago by bill

See http://dojotoolkit.org/node/619 or http://www.fortifysoftware.com/servlet/downloads/public/JavaScript_Hijacking.pdf for details on why this is a serious problem (and why adding // fixes it).

comment:4 Changed 12 years ago by guest

from jean-francois.pone@… :

I agree this is a good solution but may be it would (poor english...) be interesting to change the default mimetype in the incrementalComboBoxDataProvider.

comment:5 Changed 12 years ago by James Burke

(In [8608]) Refs #2656. Porting json comment support to 0.4 branch

comment:6 Changed 12 years ago by James Burke

(In [8609]) Refs #2656. Making the test output a bit more readable.

comment:7 Changed 12 years ago by James Burke

Resolution: fixed
Status: newclosed

comment:8 Changed 12 years ago by (none)

Milestone: 0.4.3

Milestone 0.4.3 deleted

Note: See TracTickets for help on using tickets.