thinking out loud [...]by @robertodecurnex


Several security changes have been made lately over the gem so I think it’s time to give you some more detailed information about the project status and create the release notes of every version (as I should have done since the very beginning… Shame on me!).

Before enter in the details I would like to thank the people that found and fix them in the first place.

0.0.7 Release Notes

mzsanford has added callback sanitation methods to prevent XSS attacks.

Basically we are only allowing callbacks to be valid JS function names and preventing JS code blocks to be used instead.

The main risk of let the callback be a chunk of JS code is that the user may access/edit our cookies or create a whole page with our signature (eg: phishing forms).

0.0.6 Release Notes

amiel has fixed some bugs:

  1. Incorrect Content-Length when sending multibytes characters.
  2. Loosing Content-Type charset when requesting JSONP.

1) The Content-Length was computed adding 1 byte for each character.

When sending multibyte characters this is not true so we ended up having a smaller Content-Length => loosing some trailing characters.

It was solved by computing the lenght based on the bytesize of each character.

2) Since the original Content-Type of the response is application/json we are overwriting it with application/javascript.

Turn out that the Content-Type may hold the type and the encoding, and we were not saving the encoding.

Now we are just replacing the application/json with application/javascript and leaving the rest of the Content-Type untouched.

How about you?

Are ou having any problem with the gem ?

Is there any feature you would love to be included?

Fork the project, create some issues, purpose some features. Don’t be shy, we would love to get your feedback.

blog comments powered by Disqus