in reply to Re^5: Let users link in a javascript library (required)
in thread Let users link in a javascript library

I don't get the (ab)use case. A monk sets up an external img; another monk visits the homenode and their cookies from that external site are sent to the external site? Can you explain the problem?
--
Online Fortune Cookie Search
  • Comment on Re^6: Let users link in a javascript library (required)

Replies are listed 'Best First'.
Re^7: Let users link in a javascript library (required)
by Corion (Patriarch) on Apr 16, 2008 at 20:07 UTC

    If that remote URL is a application/javascript file, I think that versions of IE will run it, and likely within the Perlmonks security context.

    If that remote URL redirects back to Perlmonks, it can alter user settings, at least if there are holes left open here where we allow setting of vital things via GET.

[reply]
[d/l]
      For the former: if true, bleah.

      For the latter: ah, right. Oh well.

[reply]
Re^7: Let users link in a javascript library (required)
by moritz (Cardinal) on Apr 16, 2008 at 21:42 UTC
    <img src="/?node_id=109;op=logout" /> isn't very nice, it will probably log out anybody who tries to load the image.

    Even if perlmonks has some kind of protection against that, many web applications don't. Every action that can be done with GET request can be triggered, and that's often change of email address, write an article or even delete a user.

[reply]
[d/l]
Re^7: Let users link in a javascript library (required)
by tinita (Parson) on Apr 16, 2008 at 21:51 UTC
[reply]

In Section Perl Monks Discussion