Tickets :: Comment on [#2565] Firefox 3 bookmarks extension

* Your Email Address
* Spam protection	Enter the letters below: .__. __ .___.__ . . \| \|/ `[__ \| \\| \| \|__\|\__.[___\|__/\|/\\|
Comment	> Thanks for your feedback, and for pointing this out! > > > >> I've committed the Trean part of the changes. I hesitate the commit > >> the jsonrpc implementation, though, because of security concerns. I > >> don't know if there is going to be an easy way to fix this, but I > >> don't think we can roll it out if it's possible to exploit. > >> > >> Here's the concern: if a user is using TreanMarks and is > >> authenticated, another website with malicious javascript code could > >> use XmlHttpRequest to POST jsonrpc requests to Horde without the user > >> knowing. This actually goes beyond Trean since the user's > >> authentication to Horde would be used; any API method would be > >> callable. > > > > I'm sure you know more about this than I do. But I'm not sure how > it's exploitable. How is the extension being "logged in" any > different from the user being logged in to Horde? Doesn't > cross-domain security already prevent a malicious site from doing > this, whether the user himself is logged in or the extension is? I > suppose code not subject to XHR security checks (another extension) > could make a POST, but such code has so much control already that it > seems futile to try to protect against it. > > > > Regardless, you bring up some very good points. We'll want to think > it through several times. > > > >> > >> My first thought of how to handle this is that instead of using HTTP > >> basic authentication, we need to have the jsonrpc backend use a real > >> session, with a session key stored in the extension and included in > >> requests as a POST parameter (like the Horde_Form token usage for > >> CSRF protection) for checking. > > > > I'll need to learn how this is done, but I'm sure it wouldn't be too > hard to implement. > > > > Thanks again.
Attachment
Watch this ticket

Saved Queries