Contact us
Get started
Loading...
Important Notice - Forums is archived

To simplify things and help our users to be more productive, we have archived the current forum and focus our efforts on helping developers on Stack Overflow. You can post new questions on Stack Overflow or join our Discord channel.

Product icon
TUTORIAL

Vaadin lets you build secure, UX-first PWAs entirely in Java.
Free ebook & tutorial.

Programmatically open a new browser window by Tarek Oraby, 3 weeks ago
Recent Posts
Vaadin Forum3. Vaadin 6, 7, 8

Vulnerability with Push Requests with Atmosphere

Tupi Guarani
6 years ago May 20, 2016 9:20am

Hello all,

our application is configured to work with push. The requests to the app server look like the following

https://skip.dot.com/app/PUSH?skip=stuff&X-Atmosphere-tracking-id=0&X-Atmosphere-Framework=2.2.13.vaadin3-jquery&X-Atmosphere-Transport=long-polling&X-Atmosphere-TrackMessageSize=true&Content-Type=application%2Fjson%3B%20charset%3DUTF-8&X-atmo-protocol=true&_=123456789

The X-Atmosphere-Framework parameter reveals a concrete implementation (version 2.2.13.vaadin3-jquery) which has been pointed out in a security audit as something one should avoid (or remove, in our case). (By the way, Vaadin has others, e.g. https://skip.dot.com/app/VAADIN/vaadinPush.js?v=7.6.4)

My question is whether it's possible to configure the application to use another framework. Or if there's an entry point we could implement to avoid passing around of version numbers? Has Vaadin been updated to use a newerversion of Atmosphere, as 2.2 has already reached "end-of-life" (https://github.com/Atmosphere/atmosphere).

Any hints are welcome.

Thanks in advance!

Cheers

Tupi