in reply to Re^4: Let users link in a javascript library (required)
in thread Let users link in a javascript library

Cross-site request forgery.

Since most users allow the browser to load images, an external image can be used to trigger an GET request to an arbitrary URL, and the browser sends all session cookies of the target domain to that URL. Without any interaction from the user.

While state change on the server side should not be triggered by GET requests they often are. So it's safer to forbid them.

  • Comment on Re^5: Let users link in a javascript library (required)

Replies are listed 'Best First'.
Re^6: Let users link in a javascript library (required)
by ysth (Canon) on Apr 16, 2008 at 20:04 UTC
    I don't get the (ab)use case. A monk sets up an external img; another monk visits the homenode and their cookies from that external site are sent to the external site? Can you explain the problem?
    --
    Online Fortune Cookie Search
[reply]

      If that remote URL is a application/javascript file, I think that versions of IE will run it, and likely within the Perlmonks security context.

      If that remote URL redirects back to Perlmonks, it can alter user settings, at least if there are holes left open here where we allow setting of vital things via GET.

[reply]
[d/l]
        For the former: if true, bleah.

        For the latter: ah, right. Oh well.

[reply]
      <img src="/?node_id=109;op=logout" /> isn't very nice, it will probably log out anybody who tries to load the image.

      Even if perlmonks has some kind of protection against that, many web applications don't. Every action that can be done with GET request can be triggered, and that's often change of email address, write an article or even delete a user.

[reply]
[d/l]
[reply]

In Section Perl Monks Discussion