And that's where you need CSRF protection. It's not like it's anything new.
On 31/03/2013, at 3:19 PM, Doctor McKay <mc...@doctormckay.com> wrote: > This isn't necessarily true. A malicious server could open a webpage in the > client's Steam overlay browser that's hosted on their own website and uses > JavaScript to POST something to steamcommunity.com, like a Steam group join > request. > > > > Doctor McKay > http://www.doctormckay.com > mc...@doctormckay.com > > > On Sat, Mar 30, 2013 at 8:01 PM, Netshroud <netshr...@gmail.com> wrote: > If Steam Community would use GET and POST appropriately, then your concern > would be a non-issue. A GET request shouldn't make any changes. > > On 31/03/2013, at 8:33 AM, 1nsane <1nsane...@gmail.com> wrote: > >> Could lead to even worse abuse. >> >> Steam overlay is logged in to steam. It's been like this forever, there's >> thing that rely on it staying that way. >> >> Since it is logged into steam it would allow malicious servers to do >> automatically on their steam accounts. Starting with putting you in a steam >> community group soon as you join a server without your consent. To using >> exploits and doing much worse things like say forcing you to leave groups >> you are an admin of or changing your settings. >> >> Ages ago when Steam used IE I reported an exploit able to do these things >> and valve fixed it. >> >> >> On Sat, Mar 30, 2013 at 5:15 PM, Cameron Munroe <cmun...@cameronmunroe.com> >> wrote: >> I thought I might just put my 2 cents in, so please don't shoot me. >> >> >> Here is what the text I received over chat: >> >> >> This info was taken from a discussion on IRC between SourceMod's Asher Baker >> (Asherkin) and Valve's Tony Paloma (Druken_F00l). Asherkin posted it in a >> discussion then deleted it, but not before someone quoted it. >> And just to make sure it doesn't get lost, I'm also going to quote it here >> too. >> <Drunken_F00l> so i think we're gonna nuke the info panel >> <Drunken_F00l> or at least the ability to send it at arbitrary times >> <@asherkin> :| >> <@asherkin> why? >> <Drunken_F00l> because pinion >> <Drunken_F00l> or more like server ops abusing pinion >> <@asherkin> thus killing things that have existed forever, like using it to >> view stats or to listen to streaming radio >> <Drunken_F00l> it sucks that it might break plugins or game modes using it >> for legit reasons though >> <Drunken_F00l> ya >> >> >> In any case I think what they will only stop motd after initial connect thus >> blocking any abuse by server owners. However I would rather, after initial >> connect, to have links opened by the steam overlay browser. This would first >> fix the issue of Pinion spamming as the player could quickly exit out and >> continue playing there game, not to mention this harms the said owner that >> is spamming the Ad during normal game play because of the required >> completions, and not being able to hold the session for 30 seconds. It would >> also be nicer because you could use this as a simple way to open radio >> programs and such, and in new tabs. Thus no longer will radio be quit out >> once you type !bp. It could also have the added functionality of going to a >> common tab for similar links so if you already had radio open, and you open >> radio again you won't be spammed by two radios playing. >> >> >> Just some thoughts. >> >> >> _______________________________________________ >> To unsubscribe, edit your list preferences, or view the list archives, >> please visit: >> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds >> >> >> _______________________________________________ >> To unsubscribe, edit your list preferences, or view the list archives, >> please visit: >> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds > > > _______________________________________________ > To unsubscribe, edit your list preferences, or view the list archives, please > visit: > https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds > > > _______________________________________________ > To unsubscribe, edit your list preferences, or view the list archives, please > visit: > https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds
_______________________________________________ To unsubscribe, edit your list preferences, or view the list archives, please visit: https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds