* Michael Rogers <[EMAIL PROTECTED]> [2006-06-02 09:32:54]: > Matthew Toseland wrote: > >What's the iframe for? You only need the buttons, don't you? > > The iframe's to hide the response page. You don't need a button if you > use javascript: > > http://www.cs.ucl.ac.uk/staff/mrogers/attack2.html
The question is more "do we want to protect us from that?"
the ONLY way to protect from such a kind of attack is to teach the
user what the problem is :
* if we filter according to referers, the server will spoof them
* if we require credentials, the script will ask for credentials
or the browser's credential caching mechanism will answer.
* if we use a capcha, the script will ask the user what's written
on the img ;)
Moreover, if we decide to go that way, we WILL prevent any
reference-autoadder (not a bad thing from my PoV)...
Here, I do use a special browser to surf on freenet :
1) my node is sandboxed, chrooted, running with a dedicated user
2) my regular uid isn't allowed to open any client socket to that
user's server socket
3) My browser is configured to use fproxy as a proxy server : that
way, no external link can be followed.
NextGen$
signature.asc
Description: Digital signature
_______________________________________________ Devl mailing list [email protected] http://emu.freenetproject.org/cgi-bin/mailman/listinfo/devl
