Project:
| View Revisions: Issue #34330 | [ Back to Issue ] | ||
| Summary | 0034330: Support multi-server requests in a better more secure way | ||
| Revision | 2016-10-28 10:32 by mtaal | ||
| Description | Currently we allow multi-server requests by setting very wide cross domain allowances [1]. This makes the system very flexible and lowers the configuration effort. However, this also means that there is a potential for cross-domain scripting [2]. Therefore the proposal is to improve this and work with a list of allowed domains, configurable in OB. [1] https://code.openbravo.com/erp/pmods/org.openbravo.mobile.core/file/8078590c67e8/src/org/openbravo/mobile/core/process/WebServiceAuthenticatedServlet.java#l48 [^] [2] https://en.wikipedia.org/wiki/Cross-site_scripting [^] [3] https://en.wikipedia.org/wiki/Cross-origin_resource_sharing [^] [4] https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF) [^] |
||
| Revision | 2016-10-28 10:28 by mtaal | ||
| Description | Currently we allow multi-server requests by setting very wide cross domain allowances [1]. This makes the system very flexible and lowers the configuration effort. However, this also means that there is a potential for cross-domain scripting [2]. Therefore the proposal is to improve this and work with a list of allowed domains, configurable in OB. [2] https://en.wikipedia.org/wiki/Cross-site_scripting [^] [3] https://en.wikipedia.org/wiki/Cross-origin_resource_sharing [^] |
||
| Copyright © 2000 - 2009 MantisBT Group |
 |