6.0.0-beta1
▾
Tasks
New Task
Search
Photos
Wiki
▾
Tickets
New Ticket
Search
dev.horde.org
Toggle Alerts Log
Help
9/22/25
H
istory
A
ttachments
C
omment
W
atch
Download
Comment on [#2565] Firefox 3 bookmarks extension
*
Your Email Address
*
Spam protection
Enter the letters below:
.___.___..__ . ..__ [__ _/ [__)|\ |[__) [___./__.| \| \|[__)
Comment
> I remembered that the browser is caching the HTTP Basic credentials, > which is bad. I think I can prevent that. I'm hoping after the > first call using Basic auth, the cookie I get will be enough. > > > > But I think I see now how it's exploitable. Couldn't someone > automatically submit a FORM with a POST to Horde, and the auth cookie > would attach to the request regardless of the domain of the POSTing > site? I guess they may not be able to do much with the response, but > just sending is enough to do nasty things. > > > > So you're suggesting my extension holds a unique, opaque session key > (probably in addition to the cookie I already have) that isn't stored > anywhere in the browser proper? > > > > Also, is this really specific to JSON-RPC, or is it something that > could be a problem with any of the RPC methods? Because on second > thought, I think JSON-RPC requests would be difficult to forge > because XHR is probably protected enough, and they can't be done by > FORM that I know of, because they aren't sent using the standard URL > encoding form. They use a POST Content-Type of 'application/json' or > something, and the body is straight JSON, not wrapped in URL > &key=value form. > > > > I hope it makes sense what I'm getting at here!
Attachment
Watch this ticket
N
ew Ticket
M
y Tickets
S
earch
Q
uery Builder
R
eports
Saved Queries
Open Bugs
Bugs waiting for Feedback
Open Bugs in Releases
Open Enhancements
Enhancements waiting for Feedback
Bugs with Patches
Enhancements with Patches
Release Showstoppers
Stalled Tickets
New Tickets
Horde 5 Showstoppers