Issue 118640043: Protect proxy JSONP responses against "Rosetta Flash" vulnerability.

Keyboard Shortcuts

	File
u :	up to issue
m :	publish + mail comments
M :	edit review message
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line
<Enter> :	respond to / edit current comment
d :	mark current comment as done

	Issue
u :	up to list of issues
m :	publish + mail comments
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue
# :	close issue

	Comment/message editing
<Ctrl> + s or <Ctrl> + Enter :	save comment
<Esc> :	cancel edit

Issue 118640043: Protect proxy JSONP responses against "Rosetta Flash" vulnerability. (Closed)

Can't Edit
Can't Publish+Mail
Start Review

Created:
11 years, 5 months ago by kpreid_google

Modified:
11 years, 3 months ago

Reviewers:
felix8a

CC:
caja-discuss-undisclosed_googlegroups.com, MarkM, felix8a, ihab.awad, Jasvir, kpreid2, metaweta, MikeSamuel

Base URL:
http://google-caja.googlecode.com/svn/trunk/

Visibility:
Public.

More Reviews

Description

The so-called "Rosetta Flash" vulnerability is that allowing arbitrary yet identifier-like text at the beginning of a JSONP response is sufficient for it to be interpreted as a Flash file executing in that origin. See for more information: http://miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/ JSONP responses from the proxy servlet now: * are prefixed with "/**/", which still allows them to execute as JSONP but removes requester control over the first bytes of the response. * have the response header Content-Disposition: attachment. Another recommended mitigation, "X-Content-Type-Options: nosniff", was already present. Bug: <https://code.google.com/p/google-caja/issues/detail?id=1923> @r5697

Patch Set 1 #

Created: 11 years, 5 months ago

Download [raw] [tar.bz2]

	Unified diffs	Side-by-side diffs	Stats (+12 lines, -4 lines)			Patch
M	src/com/google/caja/service/ProxyServlet.java	View	2 chunks	+2 lines, -1 line	0 comments	Download
M	tests/com/google/caja/plugin/test-fetch-proxy.js	View	2 chunks	+7 lines, -1 line	0 comments	Download
M	tests/com/google/caja/service/ServiceTestCase.java	View	2 chunks	+3 lines, -2 lines	0 comments	Download

Messages

Total messages: 2

Expand All Messages | Collapse All Messages

lgtm

Expand All Messages | Collapse All Messages