Skip Menu |

This queue is for tickets about the Catalyst-Action-REST CPAN distribution.

Report information
The Basics
Id: 54336
Status: resolved
Priority: 0/
Queue: Catalyst-Action-REST
People
Owner: Nobody in particular
Requestors: onken [...] netcubed.de
Cc:
AdminCc:
Bug Information
Severity: Critical
Broken in: 0.81
Fixed in: (no value)

History Show all quoted text
  Fri Feb 05 01:31:37 2010 onken [...] netcubed.de - Ticket created
Subject: JSONP support introduces serious security problems
Before JSONP has been introduced as serializer it was not possible to get the serialized content from a foreign website due to the same origin policy. But now that you can choose JSONP as a serializer you can easily add this to a foreign website to get the data from your REST controller: <script src="http://yourwebsite.com/rest_controller/get_all_users?content-type=text/javascript"></script> This is probably the reason why JSONP has been added but it also adds a serious security problem. I disabled JSONP in all of my REST controllers but there might be others out there which do not know of this change and all their data is exposed to any website on the net. I propose that JSONP should be disabled by default.
  Fri Feb 05 01:33:37 2010 onken [...] netcubed.de - Correspondence added
On Fri Feb 05 01:31:37 2010, PERLER wrote: Show quoted text
> Before JSONP has been introduced as serializer it was not possible to > get the serialized content from a foreign website due to the same > origin > policy. > > But now that you can choose JSONP as a serializer you can easily add > this to a foreign website to get the data from your REST controller: > > <script > src="http://yourwebsite.com/rest_controller/get_all_users?content- > type=text/javascript"></script> > > This is probably the reason why JSONP has been added but it also adds > a > serious security problem. I disabled JSONP in all of my REST > controllers > but there might be others out there which do not know of this change > and > all their data is exposed to any website on the net. > > I propose that JSONP should be disabled by default.
<script src="http://yourwebsite.com/rest_controller/get_all_users?content-type=text/javascript&callback=foo"></script> You also need to specify the callback function.
  Fri Feb 05 01:33:38 2010 onken [...] netcubed.de - Status changed from 'new' to 'open'
  Mon Feb 08 17:24:34 2010 bobtfish [...] bobtfish.net - Correspondence added
Removed from the default config in the latest release, thanks.
  Mon Feb 08 17:24:35 2010 bobtfish [...] bobtfish.net - Status changed from 'open' to 'resolved'