6.0.0-beta1
▾
Tasks
New Task
Search
Photos
Wiki
▾
Tickets
New Ticket
Search
dev.horde.org
Toggle Alerts Log
Help
9/21/25
H
istory
A
ttachments
C
omment
W
atch
Download
Comment on [#2565] Firefox 3 bookmarks extension
*
Your Email Address
*
Spam protection
Enter the letters below:
.. .._..___. . ||__| | [__ |__| \__|| |_|_[___| |
Comment
> I've committed the Trean part of the changes. I hesitate the commit > the jsonrpc implementation, though, because of security concerns. I > don't know if there is going to be an easy way to fix this, but I > don't think we can roll it out if it's possible to exploit. > > > > Here's the concern: if a user is using TreanMarks and is > authenticated, another website with malicious javascript code could > use XmlHttpRequest to POST jsonrpc requests to Horde without the user > knowing. This actually goes beyond Trean since the user's > authentication to Horde would be used; any API method would be > callable. > > > > My first thought of how to handle this is that instead of using HTTP > basic authentication, we need to have the jsonrpc backend use a real > session, with a session key stored in the extension and included in > requests as a POST parameter (like the Horde_Form token usage for > CSRF protection) for checking. > > > > Thoughts?
Attachment
Watch this ticket
N
ew Ticket
M
y Tickets
S
earch
Q
uery Builder
R
eports
Saved Queries
Open Bugs
Bugs waiting for Feedback
Open Bugs in Releases
Open Enhancements
Enhancements waiting for Feedback
Bugs with Patches
Enhancements with Patches
Release Showstoppers
Stalled Tickets
New Tickets
Horde 5 Showstoppers