Ryan Rutan

Throw allowIllegalResourceCall to the Curb is True!

Blog Post created by Ryan Rutan on Jun 29, 2015

For any developer who has used the Jive REST API, you may have run into a problem with a security measure we put in place a while back that prefixes API responses with the following line:

throw 'allowIllegalResourceCall is false.';





This aspect of the API as introduced to help prevent against JSON Hijacking back when web browsers were susceptible. 


As modern browsers have matured, so has inherent protection from this type of attack.  As such, Jive is looking into migration paths to allow us to remove this line from our API allowing the response to be pure JSON once again.  Once we have cleared our browser support list of susceptible browsers, we can start taking active measures to remove this safety measure.


What Does This Mean for You / Recommendations

When it comes time to roll-out changes, it is always hard because you never know how developers have coded things to this point.


To best prepare yourself (and your code) for this change, of which timing or process has not yet been discussed, it is recommended that you:

  • review your code for any references to the "code stripping"
  • insure that any code executed will work successfully, with or without this prefix in the response body.


Some example solutions include:

  • response.substring(response.indexOf('{')) - "find the first {, and do a substring from that position to the end of the string."
  • JSON.parse(response.replace(/$throw.*;/, "").trim()); - "using RegEx, find the first line with throw and ending in a semi-colon, if found replace with empty string"

As we get closer to determining the approach for introducing movement on this, we'll let the community know, but for now it is recommended that developers prepare their existing and new code with similar patterns to be protected.

Stay tuned.  You may now return to your IDE. =)