On 28 Mar 2010, at 15:12, Jon mailinglists wrote:
I then login to my application in one tab, and in another tab access this js/html. That will give back the data about me since I've got a valid session which gets sent to my catalyst server. That means evilempire.com has access to my logged in users data, and that's what I want to protect them from. XSS from another site.
Is that not XSRF, rather than XSS?
That's why I was talking auth tokens or some other means of protection.
A guess so, given that auth tokens are an XSRF protection really :)
I suppose more people have thought of that, and this isn't really Catalyst specific but very general. What I wonder though is if there's any built in mechanism to protect from that since if I haven't got it all wrong are cookie based sessions pretty much useless as security.
There are a number of pre-baked solutions to this on CPAN / in various form systems.
That said, there is no generic thing you can plug into an arbitrary Catalyst application which will try to protect you.
It would be possible to parse the HTML your app output, add an extra hidden field to any forms you had generated in the page, and then look for a previously generated token and redirect / refuse the request if it wasn't present.
However this would obviously not catch forms generated purely from Javascript (and a number of other cases), and so I'm somewhat doubtful of its value in more complex applications. I can certainly remember the stuff which tries to achieve this that is baked into Rails making me scream :)
That said - the wiki could very much benefit from a few pages which clearly explained the issue(s) surrounding XSS and XSRF in more detail, along with a rundown of what various form systems provide to mitigate these issues (and any other more generic modules available).
Would you be prepared to write (even some) of this - given you seem to already be doing the research?
Was this easier to follow?
Yes. I thought that's what you meant the first time round, but I wasn't sure, and so I decided to wait for clarification (as other people had already replied when I saw your first mail).
Cheers t0m _______________________________________________ List: [email protected] Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/[email protected]/ Dev site: http://dev.catalyst.perl.org/
