Hi, On Tue, Sep 30, 2008 at 12:56:05PM +0000, corvid wrote:
Cross site request forgery is the one where the bad person sticks an image tag or some javascript or whatever on a page, and your privileges are used to do something.
Sounds interesting. Just read the corresponding wikipedia entry.
So my latest little experiment: out of the image urls your browser sees that have queries (the '?a=b&c=d&e=f'), how many are - just advertisement trash anyway - things you want where the request would work just as well with the query removed (e.g. forum software that likes to stick session ids on everything) - things that wouldn't still work but don't really matter (e.g. user icons) - things you need
Here's a little bit of code that tries rejecting them. (If dillo had an option for such a thing someday, I imagine it would have a form more like "don't automatically load, and make it easier to know what the URL is before you load it manually")
To me the cross site request forgery issue looks more like an issue of the cookie system. Perhaps we should be more careful when to send out a cookie. What about not sending cookies with image requests, if the host of the image url is different from the one in the main page? What do other browser do about this? Cheers, Johannes