Boris Zbarsky wrote on 5/16/2009 8:21 PM: >> Why haven't browsers (such as FireFox) isolated tabs/windows from >> each other such that I cannot simply replicate a logged-in user by >> simply pasting into another FF tab? > > For what it's worth, some sites do in fact prevent this (not sure which > mechanism they use), and it's incredibly painful from a user perspective > (opening links in new windows/tabs doesn't work properly, session > history doesn't work properly, reloading doesn't work properly, etc, etc).
I've seen it done three ways, but none of them can prevent a user from right-clicking a link, then choosing "Open in a new tab" and having the selected page load. But from there, one of the two tabs will stop working: (1) A site enforces a same-origin policy by using referrer -- copying/pasting the current URL into a new tab means Firefox doesn't send the referrer header and the request is rejected by the server. Note that right-clicking a link, then choosing "Open in a new tab" does send the referrer, so when done that way, it wouldn't be rejected. (2) A site records the current page being viewed server-side (associated with the user's session), then uses it to enforce a site-flow policy. For example, user is browsing on Tab 1, and can browse to Page A or Page B. The user opens a new tab to the same page in Tab 2 via copy/paste. In Tab 1, the user browses to Page A -- the server remembers the user is now on Page A. Then in Tab 2, the user tries to browse to Page B, but because the server knows they're on Page A, and there isn't any way to browse to Page B from Page A, it rejects the request. (3) A site employs secret link/form tokens that change on every page request. Think anti-XSRF secret tokens, but for all links and forms on every page. For example, user requests Page A and is returned three links, all with the same secret token. User then opens a second tab to the same page via copy/paste, but because it is a new request, the server generates a new secret token, and all three links on the second tab use the new secret token. Back on the first tab, browsing any of the links will cause the server to reject the request because those secret tokens were expired when the user essentially reloaded the page. - Bil _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
