On Thu, Apr 30, 2015 at 8:52 AM, martijn.list <[email protected]> wrote: > Hi, > > Enabling use_secure_urls has some side effects which I'm looking at how > to solve. > > For example, a user might have defined a bookmark to the RC login page > (www.example.com/webmail/). This works find just as long as the user is > not yet logged in. However if the user is already logged in and the user > wants to check whether there is any new mail and therefore clicks the > bookmark, an error page with "Access to this service was denied due to > failing security checks!" is shown. The user should then click the > "click here to try again" link which will redo the request but now with > the correct token in the URL. Since the GET request is redone but now > with the correct token added, to me it looks like checking the URL token > for GET requests will not bring additional security because if the user > clicks the "click here to try again" link, the request will be done anyway.
That's exactly the point: the user has to CLICK the link -> human interaction required. The random hash in the webmail URL is supposed to protect from CSRF or click-jacking attacks by making it harder for an attacker to guess the URL for the actual actions on the webmail application with a possibly active session. Roundcube already has proper protection for POST and Ajax requests. The unique-per-session urls add the missing piece for GET requests. > Is it possible to disable the secure URL check for certain pages and/or > requests? Perhaps with a plugin? or is it all or nothing? No it isn't, it's literally all or nothing. But what "certain pages" would you then like to exclude? Once you allow one, you loose protection against click-jacking. ~Thomas _______________________________________________ Roundcube Users mailing list [email protected] http://lists.roundcube.net/mailman/listinfo/users
