Details
-
Task
-
Status: Open
-
Major
-
Resolution: Unresolved
-
4.1.2, 4.2
-
None
Description
See
http://www.fortifysoftware.com/servlet/downloads/public/JavaScript_Hijacking.pdf
for details and simple solution options.
The security document indicates the Dojo project is already looking into the issue, so some coordination is probably in order, but I wanted to add an issue to track progress and thinking.
The reccomendation to include the session cookie if available in all JSON requests, and validate it on the server, is something Tapestry could incorporate easily. If there is a JSESSIONID cookie on the page generating the request, use it, otherwise send a "no-session" value. The server would then check to see if there really was no session, or if the parameter matched the current request's sesison.
Also, the client-side suggestion of munging the response JS so it needs modification before execution is a good one. This is probably where Dojo changes would fit in. Personally, I like the infinite while loop suggestion, but that's just spite 