Cant the same be done to allow users to login only through HTTPS, or if they are on HTTP, user can be redirected to an HTTPS. SO, the script will only work when the user is over a secured HTTP.
On 22 February 2012 01:24, Roan Kattouw <roan.katt...@gmail.com> wrote: > On Mon, Feb 13, 2012 at 5:28 PM, Daniel Friesen > <li...@nadir-seen-fire.com> wrote: > > The idea that login is secure because it's on a separate page than the > rest > > of the site is actually an old mistake. > > If a script is included ANYWHERE on the site on the same domain then it's > > possible to inject in some code that will fake pageviews in a way that > will > > let an attacker have a running script when the user follows the login > link > > to the login page. > > So there isn't really any security advantage of a separate login page > over > > an ajax login. (well ;) unless you're using the separate login page > because > > you have js disabled, then you're safe, heh) > > > Basically what the issue was is that if you're on an unencrypted HTTP > pageview, you cannot trust the login form that gets AJAXed in, even if > it submits to HTTPS. If the login form is transferred over HTTP (or > the script that loads the login form is transferred over HTTP, or if > *anything* comes on HTTP), it's not secure. > > Roan > > _______________________________________________ > Wikitech-l mailing list > Wikitech-l@lists.wikimedia.org > https://lists.wikimedia.org/mailman/listinfo/wikitech-l > -- Shivansh Srivastava | +91-955-243-5407 | http://in.linkedin.com/pub/shivansh-srivastava/17/a50/b18<mr.shivansh.srivast...@gmail.com> <mr.shivansh.srivast...@gmail.com>Secretary, BITS Alumni Affairs Division | Web Expert, Newsletter, BITSAA International 3rd Year Undergraduate | B.E. (Hons.) - Electronics & Instrumentation BITS-Pilani. _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
