On 03 Feb 2015, at 16:44, Jon Dufresne <jon.dufre...@gmail.com> wrote: > However some URLs are accessed by a unique URL > containing a nonce without a login. Login is not an option for these > URLs. Sharing this URL is considered very bad and I would like to > avoid it happening unintentionally.
I'm not following this: to prevent this case, you are actively instructing all your users to disable referer headers in their browsers? If not, how are you controlling what referrers your users send? URLs without login, which contain a secret nonce, are indeed sensitive to the nonce leaking through the referer. Dropbox ran into this a while ago: https://blog.dropbox.com/2014/05/web-vulnerability-affecting-shared-links/ This also affected Evernote for some time. The common resolution seems to be not to disable referer headers, which is a client-side issue, but to mask it by sending all external links through a specific URL first without the nonce, which works as a simple redirector. Far from ideal, especially when dealing with more complicated links like when sharing office documents. But it seems to work for Dropbox and Evernote. You'll notice for example that when viewing a PDF on Dropbox, you're not using your in-browser PDF viewer but Dropbox' custom viewer, which I imagine also modifies all external links. Erik -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To post to this group, send email to django-developers@googlegroups.com. Visit this group at http://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/1AFE30EE-237E-4993-A29D-4D13F179FD16%40solidlinks.nl. For more options, visit https://groups.google.com/d/optout.
signature.asc
Description: Message signed with OpenPGP using GPGMail
