This is a well known problem, and is discussed in source. We recommend only using short lived security tokens (1 minute or less) for rendering. GadgetRenderingContentRewriter automatically inserts a long lived token into the response body.
On Wed, May 13, 2009 at 4:21 AM, Yoichiro Tanaka <[email protected]>wrote: > Hi folks, > > I'm Yoichiro Tanaka as an architect of mixi Platform in Japan. I > report on a problem and a solution about a spoofing by Referer here: > > Phenomenon: > > If an user obtains a referer URL of an OpenSocial application, the > user can use the application as other's account (= an application > spoofing). > > Replicate: > > (1) An application developer writes a code for accessing to an > external web server by using <img> or <a> tag in an content of an > OpenSocial application. > > (2) The application is used by users on SNS. > > (3) The external web server is accessed from the application of the > user on user's browser by pressing the link or displaying the image. > > (4) As a result of accessing to the external server, an iframe's src > URL for the application is written in an access log of the external > web server as Referer. > > (5) The external web server's owner or any users who can know the URL > can use the application by using the Referer URL as the user specified > by a security token included in the URL. > > Cause: > > It is a cause that the st parameter is included in the src attribute > value of iframe. > > Risks: > > The user's individual information can be acquired by spoofing as other > users and using the application with the referer URL. > > React: > > It is a problem that the st parameter with the authentication > information is included in Referer. If the st parameter is excluded > from URL recorded as Referer, the spoofing can be prevented. > > Therefore, it is better that the Security Token value is passed as URL > Fragment. > > NG: http://.../...?st=abcdefg&;... > OK: http://.../...?...#st=abcdefg > > When main browsers transmits URL to the request header as Referer, URL > Fragment is not sent. Because the st parameter comes to never include > Referer that remains in the access log of external Web server, the > spoofing can be prevented. > > Can anyone mention or advice about this? > > Thanks, > -Yoichiro > > -- > Yoichiro Tanaka > Email: [email protected] > Blog: http://www.eisbahn.jp/yoichiro >
