Config info leaked in HTML #1206
Comments
|
thanks @ooskapenaar, we will look into it. /cc @drewfish |
|
This should have been fixed by now. @lzhan can you validate and close this? |
|
I can still reproduce this issue. |
|
Honestly, I don't remember what behavior is correct. But I think the Remove those secrets from the master setting, and put it in server runtime, it will not leak: [
{
"settings": [ "master" ],
"specs": {
"frame": {
"type": "HTMLFrameMojit",
"config": {
"deploy": true,
"child": {
"type": "PagerMojit",
"config": {}
}
}
}
}
},
{
"settings": [ "runtime:server" ],
"specs": {
"frame": {
"config": {
"child": {
"config": {
"secret1": "this is a secret"
}
}
}
}
}
}
]Which means that the secret is only available for the server runtime, which has a semantic meaning, and makes more sense. Also, since that syntax is very weird, you could use the extension from @jlecomte to make this easier by using dot notation in json files: {
"settings": [ "runtime:server" ],
"specs.frame.config.child.config.secret1": "this is a secret"
} |
|
The extension @caridy refers to is https://github.com/yahoo/mojito-config-expansion |
https://github.com/yahoo/mojito/wiki/ReleaseNotes0_6_0 suggests that deeply embedded mojits config are not passed to the client. See comments: "// this config is not passed to the client". This is misleading. While the mojitProxy may not have access to this info it is still leaked to the client!!
To reproduce use the https://github.com/yahoo/mojito/tree/develop/examples/developer-guide/binding_events example with the application.json from following gist (https://gist.github.com/ooskapenaar/6089171).
Start the app and go to the page.
Look at the page source and search for "secret", you will find the complete application.json there.
The text was updated successfully, but these errors were encountered: