Ticket #2656 (closed enhancement: fixed)

Opened 17 months ago

Last modified 15 months ago

implement a text/json-comment-filtered mimetype to allow servers to cooperate in avoiding "JavaScript hijacking" attacks

Reported by: alex Owned by: alex
Priority: normal Milestone:
Component: IO Version: 0.4.2
Severity: normal Keywords:
Cc:

Description

enhance our default text/json handling w/ an alternate mimetype (text/json-comment-filtered). Merge into the 0.4.x branch.

Change History

Changed 17 months ago by alex

(In [7811]) adding a text/json-comment-filtered type to the IO system. Refs #2656

Changed 17 months ago by guest

This change has the side effect of outputing a message : "please consider using a mimetype of text/json-comment-filtered to avoid potential security issues with JSON endpoints" on the console when using the default dp : incrementalComboBoxDataProvider (mimetype is hard-coded in line 69 of ComboBox?.js)

Changed 17 months ago by bill

See http://dojotoolkit.org/node/619 or http://www.fortifysoftware.com/servlet/downloads/public/JavaScript_Hijacking.pdf for details on why this is a serious problem (and why adding /**/ fixes it).

Changed 16 months ago by guest

from jean-francois.pone@… :

I agree this is a good solution but may be it would (poor english...) be interesting to change the default mimetype in the incrementalComboBoxDataProvider.

Changed 16 months ago by jburke

(In [8608]) Refs #2656. Porting json comment support to 0.4 branch

Changed 16 months ago by jburke

(In [8609]) Refs #2656. Making the test output a bit more readable.

Changed 16 months ago by jburke

  • status changed from new to closed
  • resolution set to fixed

Changed 15 months ago by anonymous

  • milestone deleted

Milestone 0.4.3 deleted

Note: See TracTickets for help on using tickets.