XSS XHR Security Violation on SSL/HTTPS.

[Jason_Jm]

XSS XHR Security Violation on SSL/HTTPS.
I understand SSL with the current release is NOT guaranteed yet however when the time comes this should be looked at.

I've flagged this with 'major' severity as it's a security issue and I believe these by default should be above normal.

Ajax triggers XSS security violation in the following browsers:
Opera
Chrome (current stable - trunk as of 7.21.2009)
Safari (current stable - trunk as of 7.21.2009)
WebKit (current stable - nightly build as of 7.21.2009)

Browsers that allow ajax to run:
I.E. 6
FireFox 2.X

Untested:
I.E. 7, 8, 9 :-)

Types of Ajax Actions which this occurs:

• Favorites add/remove
• User topic reply delete/undelete Ajax triggers WebKit Browsers and others.

Stack (Latest Stable as of 7.21.2009):
WPMU 2.8.1 >> bbpress 1.0.1 >> Integration Plugin

Additional Notes:

• You need to define both SSL options in both wp-config, bb-config.
• You need to edit integration plugin, manually flagging secure=true as secure cookies aren't generated in current version.

Debugging Info:

• I've only (at this time) debugged upto the xhr.send().
• Error is caught by jQuery in catch block, with "Security Violation" being the only indicator.
• Will continue debugging when there is free time.

Forum Post with additional info:
http://bbpress.org/forums/topic/chromesafari-webkit-javascriptajax-issues

• Jason Giedymin

[Jason_Jm]

Work around is to remove the class from the span tag. This can be done via jQuery on Document load. This will force plain href linking and bbpress will force redirect back to the page with the changes reflected.

Or you can strip the href from it's wrapping span.

[Nightgunner5]

I just looked through the path the code takes to send the XHR, and it should be switching to SSL (the URL is grabbed using a context containing BB_URI_CONTEXT_BB_ADMIN).

[GautamGupta]

Should wait for now.

[johnjamesjacoby]

Moving to 1.1-alpha Version as part of trac triage.