Re: Security Question: "Tabs" sharing session information, etc...
On May 16, 6:21 pm, Boris Zbarsky wrote: > There's also the fact that users don't see separate tabs as separate > sessions... With windows it's more interesting; in particular for WinIE > separate windows are in fact separate sessions if they're started by > clicking the icon. FWIW, this is no longer true as of IE8. http://blogs.msdn.com/ie/archive/2009/05/06/session-cookies-sessionstorage-and-ie8.aspx ___ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
Re: Security Question: "Tabs" sharing session information, etc...
Boris Zbarsky wrote on 5/16/2009 8:21 PM: >>Why haven't browsers (such as FireFox) isolated tabs/windows from >> each other such that I cannot simply replicate a logged-in user by >> simply pasting into another FF tab? > > For what it's worth, some sites do in fact prevent this (not sure which > mechanism they use), and it's incredibly painful from a user perspective > (opening links in new windows/tabs doesn't work properly, session > history doesn't work properly, reloading doesn't work properly, etc, etc). I've seen it done three ways, but none of them can prevent a user from right-clicking a link, then choosing "Open in a new tab" and having the selected page load. But from there, one of the two tabs will stop working: (1) A site enforces a same-origin policy by using referrer -- copying/pasting the current URL into a new tab means Firefox doesn't send the referrer header and the request is rejected by the server. Note that right-clicking a link, then choosing "Open in a new tab" does send the referrer, so when done that way, it wouldn't be rejected. (2) A site records the current page being viewed server-side (associated with the user's session), then uses it to enforce a site-flow policy. For example, user is browsing on Tab 1, and can browse to Page A or Page B. The user opens a new tab to the same page in Tab 2 via copy/paste. In Tab 1, the user browses to Page A -- the server remembers the user is now on Page A. Then in Tab 2, the user tries to browse to Page B, but because the server knows they're on Page A, and there isn't any way to browse to Page B from Page A, it rejects the request. (3) A site employs secret link/form tokens that change on every page request. Think anti-XSRF secret tokens, but for all links and forms on every page. For example, user requests Page A and is returned three links, all with the same secret token. User then opens a second tab to the same page via copy/paste, but because it is a new request, the server generates a new secret token, and all three links on the second tab use the new secret token. Back on the first tab, browsing any of the links will cause the server to reject the request because those secret tokens were expired when the user essentially reloaded the page. - Bil ___ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
Re: Security Question: "Tabs" sharing session information, etc...
Rafal Los wrote: Can anyone answer this question: What is the *technical reason* that separate TABS cannot be isolated from each other (for session management, etc). Because the session information is per-profile in the typical case (e.g. cookies). If the question is why session cookies are not per-tab, it's because the cookie store was written way before tabs were thought of. It could be completely rewritten to work differently, sure. There's also the fact that users don't see separate tabs as separate sessions... With windows it's more interesting; in particular for WinIE separate windows are in fact separate sessions if they're started by clicking the icon. Why haven't browsers (such as FireFox) isolated tabs/windows from each other such that I cannot simply replicate a logged-in user by simply pasting into another FF tab? For what it's worth, some sites do in fact prevent this (not sure which mechanism they use), and it's incredibly painful from a user perspective (opening links in new windows/tabs doesn't work properly, session history doesn't work properly, reloading doesn't work properly, etc, etc). -Boris ___ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
Security Question: "Tabs" sharing session information, etc...
Can anyone answer this question: What is the *technical reason* that separate TABS cannot be isolated from each other (for session management, etc). I ask this specifically because it's great that great strides are being made by the browser makers to keep the tabs/windows isolated from each other so that one can't "crash" another (aka Chrome) but there still remains the problem of a shared "global" memory space where session information is stored (maybe I'm not getting this right)... Why haven't browsers (such as FireFox) isolated tabs/windows from each other such that I cannot simply replicate a logged-in user by simply pasting into another FF tab? Thank you. -- __ Rafal M. Los Security & IT Risk Strategist - Blog: http://preachsecurity.blogspot.com - LinkedIn: http://www.linkedin.com/in/rmlos - Twitter: http://twitter.com/RafalLos ___ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security