On 04/30/2015 11:54 AM, Thomas Bruederli wrote: > On Thu, Apr 30, 2015 at 8:52 AM, martijn.list <[email protected]> wrote: >> Hi, >> >> Enabling use_secure_urls has some side effects which I'm looking at how >> to solve. >> >> For example, a user might have defined a bookmark to the RC login page >> (www.example.com/webmail/). This works find just as long as the user is >> not yet logged in. However if the user is already logged in and the user >> wants to check whether there is any new mail and therefore clicks the >> bookmark, an error page with "Access to this service was denied due to >> failing security checks!" is shown. The user should then click the >> "click here to try again" link which will redo the request but now with >> the correct token in the URL. Since the GET request is redone but now >> with the correct token added, to me it looks like checking the URL token >> for GET requests will not bring additional security because if the user >> clicks the "click here to try again" link, the request will be done anyway. > > That's exactly the point: the user has to CLICK the link -> human > interaction required.
I understand the concept although in practice I think most users would just click the link without understanding the implications. Anyway, it was not criticism from my side just a note. > The random hash in the webmail URL is supposed to protect from CSRF or > click-jacking attacks by making it harder for an attacker to guess the > URL for the actual actions on the webmail application with a possibly > active session. Roundcube already has proper protection for POST and > Ajax requests. The unique-per-session urls add the missing piece for > GET requests. > >> Is it possible to disable the secure URL check for certain pages and/or >> requests? Perhaps with a plugin? or is it all or nothing? > > No it isn't, it's literally all or nothing. But what "certain pages" > would you then like to exclude? Once you allow one, you loose > protection against click-jacking. If the secure URLs are enabled, the user can no longer open the webmail page using a general bookmark if the user is already logged-in. You might argue that if the user is already logged-in that the webmail is already open in some page but when you have a lot of open pages you might have forgotten that you already opened a page somewhere. If the user now clicks the bookmark, the failing security checks error message is shown. Is that a shop stopper? no but can be annoying for users who do not understand what it actually means. Kind regards, Martijn _______________________________________________ Roundcube Users mailing list [email protected] http://lists.roundcube.net/mailman/listinfo/users
