Config info leaked in HTML #1206

Open
ooskapenaar opened this Issue Jul 26, 2013 · 5 comments

Projects

None yet

4 participants

@ooskapenaar

https://github.com/yahoo/mojito/wiki/ReleaseNotes0_6_0 suggests that deeply embedded mojits config are not passed to the client. See comments: "// this config is not passed to the client". This is misleading. While the mojitProxy may not have access to this info it is still leaked to the client!!

To reproduce use the https://github.com/yahoo/mojito/tree/develop/examples/developer-guide/binding_events example with the application.json from following gist (https://gist.github.com/ooskapenaar/6089171).

Start the app and go to the page.

Look at the page source and search for "secret", you will find the complete application.json there.

@caridy
Collaborator
caridy commented Jul 26, 2013

thanks @ooskapenaar, we will look into it. /cc @drewfish

@caridy
Collaborator
caridy commented Mar 3, 2014

This should have been fixed by now. @lzhan can you validate and close this?

@lzhan
Contributor
lzhan commented Mar 4, 2014

I can still reproduce this issue.

@caridy
Collaborator
caridy commented Mar 4, 2014

Honestly, I don't remember what behavior is correct. But I think the runtime was an important part of the security protection. I think this will work just fine:

Remove those secrets from the master setting, and put it in server runtime, it will not leak:

[
  {
    "settings": [ "master" ],
    "specs": {
      "frame": {
        "type": "HTMLFrameMojit",
        "config": {
            "deploy": true,
            "child": {
              "type": "PagerMojit",
              "config": {}
            }
        }
      }
    }
  },
  {
    "settings": [ "runtime:server" ],
    "specs": {
      "frame": {
        "config": {
          "child": {
            "config": {
              "secret1": "this is a secret"
            }
          }
        }
      }
    }
  }
]

Which means that the secret is only available for the server runtime, which has a semantic meaning, and makes more sense.

Also, since that syntax is very weird, you could use the extension from @jlecomte to make this easier by using dot notation in json files:

  {
    "settings": [ "runtime:server" ],
    "specs.frame.config.child.config.secret1": "this is a secret"
  }
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment