Conversation:
Notices
-
Is it enough to check HTTP_REFERER to make sure someone is making a request from your own domain? I assume that privacy-aware browsers don't remove that header when sending requests to the same domain name.
-
@drymer I just pushed a fix to !GNUsocial so POSTs against the API require an HTTP_REFERER value with the same domain as the site is served on (unless using OAuth) so forms on third party websites can't POST to an authenticated session. @0@quitter.is pointed out that this could be done (since !Qvitter changes require API access without OAuth using an ordinary session)…
-
@drymer By XHR being unaffected I mean it was already protected against that (POSTs via javascript).
-
@drymer It'll give a 401 unauthorized.
Which kind of 3rd party plugins are you thinking about?
-
@drymer Nothing should ever use #CSRF (cross site request forgery) as a feature and think they can get away with it :D
-
@cathal We use HTMLPurifier (previously htmLawed) to remove malicious HTML .)
-
@cathal I even remove <img> tags, which StatusNet didn't do (and Diaspora serms to think is a feature). So no possibility to include tracking via remote resources either. (I try to fix everything that flags me on either noscript or requrspolicy plugins)
-
@cathal I made GNUsocial even remove*
It's not just me who removes 'em ;)
-
@cathal StoreRemoteMedia is a plugin that downloads remote images to the server and delivers them locally. It's recommended by the !qvitter readme .)
-
@cathal When we start sharing more videos and audio and choose to cache that locally we might start running into some issues though (delays for downloading and storage space).
MMN-o ✅⃠
All Hacker Poesy content and data are available under the