Thanks David for your continued effort on this!
Jacques
From: "David E Jones"
On Mar 5, 2009, at 2:55 PM, David E Jones wrote:
One thing that we could do to help with this problem, at least for
secure pages, is to tighten things up a bit. I'm thinking of 2 things:
1. if a request has htt
On Mar 5, 2009, at 2:55 PM, David E Jones wrote:
One thing that we could do to help with this problem, at least for
secure pages, is to tighten things up a bit. I'm thinking of 2 things:
1. if a request has https=true then we will not accept http requests
AT ALL, we will just return an err
David,
I am just thinking out loud here, but if there were no AJAX calls, then your
original approach would work and if there were only AJAX calls then, as I
described, all the requests could be run thru a common xhr object and it
could handle the tokens. So what if we used a dual random token app
Yes, AJAX calls are an interesting point... If AJAX requests used the
random token even a single call would reset the token and break
things. If they did not use the random token they are a gaping
security hole.
I don't think we're going to do the random token thing, unless someone
spon
David,
I am trying to think of the effect this will have as applications have more
and more AJAX calls. It seems like it would come down to implementing a
central object for processing such requests and the developer would not need
to worry about it, but then a mix of page requests and ajax calls
I agree with Adrian. As you well explained David, we can't expect to have a totally secured without paying some price (sometimes too
high) in usability, etc.
So yes +1 for this, I can't see a better way.
Jacques
From: "Adrian Crum"
David,
Thank you for the thorough explanation of the problem
David,
Thank you for the thorough explanation of the problem!
From my perspective, any steps taken to improve security are a benefit.
At the same time, any steps taken to improve security can be thwarted by
a skilled hacker.
I think a reasonable approach is to implement measures that improve
I've been thinking more about the XSRF problem and what we can do to
make OFBiz more secure from this sort of attack. This is related to
OFBIZ-1959 and there is more discussion and introduction to it there.
The trick is that we want to allow certain things:
1. the client's IP address can c