JS, as you may or may not know, can read cookies. Cookies generally are safe from prying eyes because they can only be sent back to the originating domain, in this case perlmonks.org. However, the JS on home nodes comes from the same domain and therefore has access to all cookies set anywhere else on perlmonks.org. That includes your username/password cookie. An unscrupulous user can insert JS code that, for instance, grabs that cookie and /msgs or e-mails it to him. He could then set that cookie in his own browser, thus logging in as you, and post / chat / change settings or passwords with your permissions, and, to the automated parts of the site, indistinguishably from you.

This is obviously a security risk. There has been much discussion about it before. Currently the only known way to prevent this is to turn off client-side scripting.

There are many easy ways to steal your login/cookie via JavaScript. The only way to be sure is to disable JavaScript for Perlmonks. vroom has announced that now the engine is supposed to strip Javascript from home nodes, but I would rather err on the safe side.

If you are using Internet Explorer, I can help you by telling you my setup :

Set up your zones like this :

• Internet Zone : Javascript and cookies disabled
• Restricted Zone : Javascript disabled, cookies enabled
• Trusted Zone : Javascript and cookies enabled

If you are using other browsers (or Internet Explorer), get yourself a proxy server that strips JavaScript from selected websites (like Perlmonks) - Google will help I guess.

Cookies should only be accessible to the site that set the cookie and the computer that accepted the cookie. However, when the site that set the cookie allows people other than the management of the site to put JavaScript on the site, that JavaScript could use the content of the cookie in a manner that doesn't match the policies of the site management (it is trivial to forward it to a remote site for later use in any way desired).

So the problem is a combination of cookies, JavaScript, and a site that accepts content from other sources.

Also, the content of the cookie could be some sort of session ID that is only useful for a limited time and couldn't be used to change your PerlMonks password. However, this particular cookie is just your username and encrypted password and so has no expiration date and can be used to change your PerlMonks password out from under you.

The new feature to remove JavaScript from home nodes is a welcome one even though it still has some bugs and so shouldn't be trusted completely. Lots of browsers and/or gateway/proxy software will strip JavaScript only for certain sites. Note that JavaScript can be a security risk in lots of other situations so you should consider disabling it for most of your surfing (you won't have any more pop-up ads, for one thing) and encouraging the sites that you frequent to allow effective navigation when JavaScript is disabled.

resident.perlmonks.org/node_id?

with removal of cookie specific functions - eg, chatbox etc - editing of node could still be done through www.perlmonks.com.

Thoughts?

cLive ;-)

good idea ++

   larryk                                          
perl -le "s,,reverse killer,e,y,rifle,lycra,,print"