#2656 closed enhancement (fixed)
implement a text/json-comment-filtered mimetype to allow servers to cooperate in avoiding "JavaScript hijacking" attacks
| Reported by: | alex | Owned by: | alex |
|---|---|---|---|
| Priority: | high | Milestone: | |
| Component: | IO | Version: | 0.4.2 |
| Keywords: | Cc: | ||
| Blocked By: | Blocking: |
Description
enhance our default text/json handling w/ an alternate mimetype (text/json-comment-filtered). Merge into the 0.4.x branch.
Change History (8)
comment:1 Changed 13 years ago by
comment:2 Changed 13 years ago by
This change has the side effect of outputing a message : "please consider using a mimetype of text/json-comment-filtered to avoid potential security issues with JSON endpoints" on the console when using the default dp : incrementalComboBoxDataProvider (mimetype is hard-coded in line 69 of ComboBox?.js)
comment:3 Changed 13 years ago by
See http://dojotoolkit.org/node/619 or http://www.fortifysoftware.com/servlet/downloads/public/JavaScript_Hijacking.pdf for details on why this is a serious problem (and why adding // fixes it).
comment:4 Changed 13 years ago by
from jean-francois.pone@… :
I agree this is a good solution but may be it would (poor english...) be interesting to change the default mimetype in the incrementalComboBoxDataProvider.
comment:5 Changed 13 years ago by
comment:6 Changed 13 years ago by
comment:7 Changed 13 years ago by
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
(In [7811]) adding a text/json-comment-filtered type to the IO system. Refs #2656