It may be that some people are already parsing the output of the current session handler. Therefore, changing the output (without introducing a new config option) could break their parsing.
Environment
None
Activity
Scott Cantor
May 11, 2012 at 8:05 PM
Closing with documentation added. Add contentType="application/json" to turn the output into JSON.
Lukas: Yes, you are right. Using some XSS attack personal information could be stolen a bit easier if this option was enabled for an SP. On the other hand, an XSS attack also could just try to parse another known page on the same host that displays some user information (like the user profile page in an e-learning system).
I don't say that this is supposed to be enabled by default but I think there are legit use cases where something like this is useful. And yes, JSON is even better
Scott Cantor
May 27, 2011 at 7:44 PM
This actually sounds likely to expose personal information to all kinds of attackers, but I suppose anybody turning on showAttributeValues is already doing that. It seems like if the goal is to explicitly hand over the information to JavaScript, it would make more sense to just define a new option to format the result as JSON.
There are more and more JavaScript applications that would benefit from accessing the user's Shibboleth attributes. Thanks to the Session handler and the showAttributeValues="true" setting, this is already possible. However, when accessing the Shibboleth Session handler via /Shibboleth.sso/Session the returned output is valid html (even XHTML I think) but it is not very convenient to parse and access because the format looks like this:
<u>Attributes</u>
<strong>Shib-EP-Affiliation</strong>: staff
<strong>Shib-EP-Entitlement</strong>: https://aai-demo-idp.switch.ch/idp/shibboleth;https://aai-rr.switch.ch;urn:geant:edugain:entitlement:eduroam:TTS;https://gamalama.switch.ch/idp/shibboleth;urn:mace:rediris.es:entitlement:wiki:tfemc2;urn:mace:rediris.es:entitlement:wiki:jra5;urn:mace:dir:entitlement:common-lib-terms
<strong>Shib-InetOrgPerson-givenName</strong>: Lukas
<strong>Shib-InetOrgPerson-mail</strong>: lukas.haemmerle@switch.ch
...
It would be more convenient to have attributes and values more nested and better accessible, e.g. something like:
<div id="attributes">
<u>Attributes</u>
<dl>
<dt id="Shib-EP-Affiliation">Shib-EP-Affiliation</dt><dd>staff</dd>
<dt id="Shib-EP-Entitlement">Shib-EP-Entitlement</dt><dd>https://aai-demo-idp.switch.ch/idp/shibboleth;https://aai-rr.switch.ch;urn:geant:edugain:entitlement:eduroam:TTS;https://gamalama.switch.ch/idp/shibboleth;urn:mace:rediris.es:entitlement:wiki:tfemc2;urn:mace:rediris.es:entitlement:wiki:jra5;urn:mace:dir:entitlement:common-lib-terms</dd>
...
</dl>
It may be that some people are already parsing the output of the current session handler. Therefore, changing the output (without introducing a new config option) could break their parsing.