Dear Rails enthusiants, I''m currently developing a web app that allows each user to modify his page, using any HTML and any JavaScript. Sure, they can mess up their own page, but what I worry is cross-site scripting vulnerabilities, especially cookie replay/session hijacking. What I worry is that if a user creates a page and fetches the current cookie, and save it somewhere else. The user who visits the page doesn''t know about that. I wonder what''s the solution for this. Thank you in advance. -- Hendy Irawan Web: http://hendy.gauldong.net Mobile: +62 856 24889899 Yahoo Messenger: ceefour666 --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Hendy Irawan wrote:> Dear Rails enthusiants, > > I''m currently developing a web app that allows each user to modify his > page, using any HTML and any JavaScript. Sure, they can mess up their > own page, but what I worry is cross-site scripting vulnerabilities, > especially cookie replay/session hijacking. > > What I worry is that if a user creates a page and fetches the current > cookie, and save it somewhere else. The user who visits the page > doesn''t know about that. > > I wonder what''s the solution for this. Thank you in advance. > > -- > Hendy Irawan > Web: http://hendy.gauldong.net > Mobile: +62 856 24889899 > Yahoo Messenger: ceefour666Giving each user their own sub domain would prevent the browser from allowing access to the cookies from the other subdomains. If someone is logged in to foo.com the cookie would nto be available if you were browsing bar.foo.com. The only other way I can think of is to somehow filter out the javascript function that read cookies, but that seems like it would be too easy to get workarounds like including a js file from outside the site. -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
On 11/11/06, Alex Wayne <rails-mailing-list-ARtvInVfO7ksV2N9l4h3zg@public.gmane.org> wrote:> Giving each user their own sub domain would prevent the browser from > allowing access to the cookies from the other subdomains. If someone is > logged in to foo.com the cookie would nto be available if you were > browsing bar.foo.com.Oomph, I''m not considering subdomains yet, too complicated. I''m not planning to limit JavaScript, but more like designing which security works best so that JavaScript can''t take advantage of it (so, it''s more the server-side). Maybe using HTTP authentication? But this way, cookie/session doesn''t work. Maybe HTTP auth + cookie? (so that cookie itself doesn''t count as "legit" session). I''m also considering associating an IP address with a session, but I understand that some people have rotated proxies and a group of people even surf with the same IP. So I don''t think it''s a good solution. -- Hendy Irawan Web: http://hendy.gauldong.net Mobile: +62 856 24889899 Yahoo Messenger: ceefour666 --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---