2 files changed, 20 insertions, 3 deletions

diff --git a/services/json_auth.esp b/services/json_auth.esp
index 2d58b6e2af..0fdd98037d 100644
--- a/services/json_auth.esp
+++ b/services/json_auth.esp
@@ -1,7 +1,13 @@
 <%
 /* Return true to allow access; false otherwise */
-function json_authenticate(serviceComponents, method)
+function json_authenticate(serviceComponents, method, scriptTransportId)
 {
+    // Don't allow any access via ScriptTransport, for now.
+    if (scriptTransportId != jsonrpc.Constant.ScriptTransport.NotInUse)
+    {
+        return false;
+    }
+
     return true;
 }
 
diff --git a/services/request.esp b/services/request.esp
index 1b33b61964..6f7e61e6e4 100644
--- a/services/request.esp
+++ b/services/request.esp
@@ -292,6 +292,8 @@ if (request["REQUEST_METHOD"] == "POST" &&
 }
 else if (request["REQUEST_METHOD"] == "GET" &&
          form["_ScriptTransport_id"] != undefined &&
+         form["_ScriptTransport_id"] !=
+           jsonrpc.Constant.ScriptTransport.NotInUse &&
          form["_ScriptTransport_data"] != undefined)
 {
     /* We have what looks like a valid ScriptTransport request */
@@ -455,8 +457,17 @@ if (! valid)
     return;
 }
 
-/* Ensure the logged-in user is allowed to issue the requested method */
-if (! json_authenticate(serviceComponents, jsonInput.method))
+/*
+ * Ensure the logged-in user is allowed to issue the requested method.  We
+ * provide the scriptTransportId as one of the determining factors because
+ * accepting requests via ScriptTransport is dangerous.  Only methods which
+ * one might allow when unauthenticated should be allowed via ScriptTransport
+ * as it is easy for a rogue site to trick a user into bypassing
+ * authentication.
+ */
+if (! json_authenticate(serviceComponents,
+                        jsonInput.method,
+                        scriptTransportId))
 {
     error.setError(jsonrpc.Constant.ErrorCode.PermissionDenied,
                    "Permission denied");