* Michael Rogers <m.rogers at cs.ucl.ac.uk> [2006-06-02 09:32:54]:
> Matthew Toseland wrote:
> >What's the iframe for? You only need the buttons, don't you?
>
> The iframe's to hide the response page. You don't need a button if you
> use javascript:
>
> http://www.cs.ucl.ac.uk/staff/mrogers/attack2.html
The question is more "do we want to protect us from that?"
the ONLY way to protect from such a kind of attack is to teach the
user what the problem is :
* if we filter according to referers, the server will spoof them
* if we require credentials, the script will ask for credentials
or the browser's credential caching mechanism will answer.
* if we use a capcha, the script will ask the user what's written
on the img ;)
Moreover, if we decide to go that way, we WILL prevent any
reference-autoadder (not a bad thing from my PoV)...
Here, I do use a special browser to surf on freenet :
1) my node is sandboxed, chrooted, running with a dedicated user
2) my regular uid isn't allowed to open any client socket to that
user's server socket
3) My browser is configured to use fproxy as a proxy server : that
way, no external link can be followed.
NextGen$
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL:
<https://emu.freenetproject.org/pipermail/devl/attachments/20060602/6f90e7e7/attachment.pgp>
