Re; The sausage meme and its copycats

[deliberateblank]

There are issues on the LJ issue tracker board concerning this.

I've just filed my own bug against Firefox. (LJ *need* to fix their end, but there are things the browser can do to prevent this too, that are low-impact. Hopefully Mozilla/Firefox will implement a block for the next version. Good luck waiting for Microsoft to fix Internet Explorer

Comments

[ciphergoth]

I can't be arsed to create a Bugzilla account to add this observation, but if you agree with me then feel free. I don't think the fixes you propose in Firefox are the right ones. Fundamentally this problem doesn't have much to do with Javascript - if you can get the user to click a "submit" button, you can submit a form in their name anywhere.

Instead, I think the correct fix is not to present cookies in cross-site POST requests - or at least, to ask the user before doing so.

[wechsler]

And what about GET forms?

[ciphergoth]

I'd like to leave GET requests so that (eg) I can post a link to a friends-locked LJ on DJ, and if you're logged in you can just click the link.

I've always been given to understand that GET requests are not supposed to change anything, only request things. If servers enforce that, then this will work. If they don't, it doesn't...

[wechsler]

You may be strictly right there, although it's not exactly what I remembered - this page seems to agree with you, as does (AFAICT) the RFC. Unfortunately I closed my safari account so I can't check it in the HTTP book.

That said, real-world usage differs; consider: www.somewhere.com/getwebcounterimg.php?page=214&action=increment as a first example.

[deliberateblank]

That's not really a good example as it's a bit of a hack!

GETs SHOULD be idempotent. They MAY not be, but if you're making significant changes (and I don't count webcounters as that significant) to database state you SHOULD use POSTs instead.

[deliberateblank]

If you can persuade a user to do something, then you can persuade them to do anything.

Fundamentally, this exploit needs to be fixed by LJ itself. And it also needs to be fixed by any other website which has this vulnerability. That's the only way *they* can assure users they are safe.

However my suggestion (which you will notice is additional to the LJ fix) would prevent this attack, at least in this instance. (And given that LJ doesn't allow JS in HTML posts should completely prevent it.) The infrastructure already exists to support it, there is no justification AFAICS for allowing this case, and it is actually a very good point: certain protocol transactions are expected from certain user actions. All others ought to at least require confirmation if not be disabled completely.

[deliberateblank]

Oh, and creating a Moz bugzilla account really isn't too hard. If you have something to contribute to the debate *please* do.

Certainly I think making XS POST of cookies a promptable option would be a good idea (even if I think it would be disabled by too many users to be useful), however I think this situation suggests a number of different approaches that ought to be implemented in parallel.