Community
Participate
Working Groups
Created attachment 131961 [details] Patch that delivers a more obscure message to the user Build ID: RAP CVS HEAD Steps To Reproduce: Introduce a javascript error (could be syntactical) into a qooxdoo widget. Run the app and make it crash. See that the error message might be too verbose (revealing actual application data). More information: This bug is more to share what we had to do to make our RAP app compliant with the network security folks.
The proposed patch would also "override" the session timeout notification (Session has timed out, click <here> to restart). The name of the function doesn't exactly reflect its purpose: to shut down the client-side application and display the given HTML page. Could you clarify what sort of information is revealed in case of an error? I see currently two 'types' of errors that may occur: * a failed request, e.g HTTP 500 because of a server-side exception. In this case it is the servers' responsibility to put only that information into the response that should go over the wire. For example, specify an <error-page> element in your web.xml. * a Javascript error caused while evaluating a response. What information is revealed there that wouldn't be revealed anyway if the evaluation succedded?
From my POV there doesn't need to be done more about this. Please reopen if you have outstanding issues.
