How to prefix all JSON responders in play2 to prevent JSONP escalation through valnurable requests
I want to prefix all my JSON responses with a sequence of quotes like ")]} ', \ n" to prevent JSONP escalation vulnerabilities.
How can this be done within play2? I set my sidebars to JSON and preprocess all the responses manually, but I'm looking for a more elegant way to do this job using the built-in features of the framework.
source to share
What do you mean by "JSONP escalation vulnerabilities"? ( googling for it returns this question as the first result and almost nothing else).
Do you want people not to use JSON as JSONP? Then just don't include JSONP padding .
Do you want people not to be able to use your JSON in other programs without the same origin policy issues, outside the browser or proxy with their own servers to serve clients on their own domain, etc.? Then it is not possible. Even if you serve some mangled JSON, they'll figure it out anyway. The only thing you can do is write the terms and conditions that prohibit this and sue them (good luck with that).
source to share
I think the ideal thing in this case is to allow a custom implicit play.api.http.Writable. You can do this by adding an implicit definition to the property that your controller extends:
import play.api.http.Writeable
trait SecuredJsonController {
implicit def writeableOf_JsValue(implicit codec: Codec): Writeable[JsValue] = {
Writeable(jsval => codec.encode(")]}',\n" + jsval.toString))
}
}
This works well for me. I'm not sure what you meant in your answer to Zed, but very often you have tried to destroy JSON vulnerabilities by supplementing your response bodies in the same way you originally asked. Google does this with "while (1)"; and facebook with "for (;;);" so it's a good guarantee. Learn more about these vulnerabilities here .
source to share