2011/1/2 porneL <[email protected]> > On Sun, 02 Jan 2011 18:58:05 -0000, Andraž Kos <[email protected]> > wrote: > > > Everything in the user land can be changed/transformed/spoofed and can't >> be trusted. >> > > I trust the user who invokes the bookmarklet, by definition (and shared > secret is supposed to prove that it's the user sending the request).
Take care about such a thought, it can be a security flow ! By definition, users can never be trusted and any action perform by a user should be checked (or even double or triple check, that depend on the criticity of your application). In fact, it's possible for an evil person to mimic users actions (for example it could be possible to use some breech inside a browser to perform a "click" action on the bookmarklet even if the user do not perform any real action, or worse, the user could do it itself in good faith, XSS and CSRF are based on that good faith). Browsers and the web are an insecure environments by design. To be a little parnoid can be useful ;) -- Jeremie ............................. Web : http://jeremie.patonnier.net Twitter : @JeremiePat <http://twitter.com/JeremiePat> -- To view archived discussions from the original JSMentors Mailman list: http://www.mail-archive.com/[email protected]/ To search via a non-Google archive, visit here: http://www.mail-archive.com/[email protected]/ To unsubscribe from this group, send email to [email protected]
