Page 2 of 2

Re: Be able to login to bank

Posted: Tue Mar 14, 2017 8:49 pm
by fatboy
In this case, start.me can be sent requests not only to online.citi.com/US/JRS/portal/index.do
If you think that it is fine, then let it be.
Thank you very much.

Re: Be able to login to bank

Posted: Tue Mar 14, 2017 10:20 pm
by barbaz
Ah, now I see what you're saying. Sure, something like this could likely work -

Code: Select all

Site https://online.citi.com/US/JRS/portal/index.do
Accept from https://start.me/* .citi.com
Deny
Site .online.citi.com
Accept from .citi.com
Deny
It does reduce attack surface slightly, but not by that much. Especially since only the https version of start.me is allowed to link the bank site, and you're already trusting start.me not to abuse it.

Re: Be able to login to bank

Posted: Wed Mar 15, 2017 3:28 am
by Thrawn
To allow linking, you could adjust it to:

Code: Select all

Site https://online.citi.com/US/JRS/portal/index.do
Accept from .citi.com
Anon GET from https://start.me/*
Deny
Site .online.citi.com
Accept from .citi.com
Deny