Firefox RFE: Warn before adding auth to cross-site requests
Firefox RFE: Warn before adding auth to cross-site requests
Does anyone else think that this 12-year-old Firefox RFE sounds very much worth doing? The default browser behavior, of automatically attaching all of your cookies and HTTP AUTH to any cross-site request that random.com chooses to send, is just begging for CSRF attacks. Having an option to warn first - like the dialog to ask before setting cookies - would be really handy.
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.
True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.
True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:15.0) Gecko/20100101 Firefox/15.0.1
- GµårÐïåñ
- Lieutenant Colonel
- Posts: 3365
- Joined: Fri Mar 20, 2009 5:19 am
- Location: PST - USA
- Contact:
Re: Firefox RFE: Warn before adding auth to cross-site reque
Yeah but isn't it pretty much obsolete with NS installed?
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20100101 Firefox/15.0.1
Re: Firefox RFE: Warn before adding auth to cross-site reque
Mostly yes, especially with RequestPolicy as well.GµårÐïåñ wrote:Yeah but isn't it pretty much obsolete with NS installed?
However:
- Lots of people either don't know about NS, or think it's too heavy-handed (their loss, of course). Putting this functionality into Firefox would make it available to *anyone* who explores the Preferences menu.
- Unwisely trusting a site would allow it to bypass NS protection. Likewise for people who use Scripts Globally Allowed or click-to-play mode (ie globally allow but block plugins).
- The default behavior of Firefox on this issue is just plain terrible from a security standpoint.
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.
True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.
True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:15.0) Gecko/20100101 Firefox/15.0.1
Re: Firefox RFE: Warn before adding auth to cross-site reque
I don't store logins, either in the browser's pw manager or in permanent cookies, and when doing sensitive things like banking, always close browser - reopen -- do banking - close -- reopen if intending to continue browsing. Everything gets dumped when closing.To open this address, Mozilla needs to use your | | `-' stored login for `Realm' at`server'.
So I think these practices mitigate the threat, at least for serious things like banking, but I can't think of a good reason *not* to implement the RFE, because, as you correctly noted, most users are not security-conscious.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:15.0.1) Gecko/20100101 Firefox/15.0.1
- GµårÐïåñ
- Lieutenant Colonel
- Posts: 3365
- Joined: Fri Mar 20, 2009 5:19 am
- Location: PST - USA
- Contact:
Re: Firefox RFE: Warn before adding auth to cross-site reque
@Thrawn, I agree with you in the sense that Fx is HORRIBLE when it comes to security, it went from being the unexploitable alternative to IE (their claim) to being worse. In fact, IE 9 has much better built-in security than Fx does out of the box and that's just disappointing.
@Tom, I agree with you as well. I don't store squat on Fx and I don't leave anything behind and this option would be another set it and forget it and think you are safe excuse for users to just be lazy about their own security.
I guess it won't hurt for it to be there, like JS disabling is in there (NS functionality), third party cookie is in there (Ghostery functionality), image blocking is in there (Adblock functionality) but of course in all cases very limited, tediously manual and not comprehensive at all. So adding another fairly crippled functionality to the list won't hurt but I don't it will help much either, just saying.
@Tom, I agree with you as well. I don't store squat on Fx and I don't leave anything behind and this option would be another set it and forget it and think you are safe excuse for users to just be lazy about their own security.
I guess it won't hurt for it to be there, like JS disabling is in there (NS functionality), third party cookie is in there (Ghostery functionality), image blocking is in there (Adblock functionality) but of course in all cases very limited, tediously manual and not comprehensive at all. So adding another fairly crippled functionality to the list won't hurt but I don't it will help much either, just saying.
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20100101 Firefox/15.0.1
Re: Firefox RFE: Warn before adding auth to cross-site reque
If a site is sensible enough not to be vulnerable to CSRF GET, and they disable autofill of passwords so the browser doesn't remember them, then would this not also protect against XSS and clickjacking?
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.
True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.
True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (Linux; U; Android 2.2.1; en-gb; GT-S5570 Build/FROYO) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1
- GµårÐïåñ
- Lieutenant Colonel
- Posts: 3365
- Joined: Fri Mar 20, 2009 5:19 am
- Location: PST - USA
- Contact:
Re: Firefox RFE: Warn before adding auth to cross-site reque
I think it would yeah but can't say for sure.Thrawn wrote:If a site is sensible enough not to be vulnerable to CSRF GET, and they disable autofill of passwords so the browser doesn't remember them, then would this not also protect against XSS and clickjacking?
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20100101 Firefox/15.0.1
Re: Firefox RFE: Warn before adding auth to cross-site reque
It's also a possible answer to the recently-published CRIME attack against TLS. Note the paragraph near the end of that article, in brackets:
Does anyone want to upvote it on Bugzilla?
It seems to me that this RFE would go a long way toward accomplishing that. Arbitrary requests could be sent, but if they're being sent to a site that has cookies or HTTP AUTH, then the user gets a warning dialog, so they can anonymize or block the requests.It would be better if the security model of Javascript was fixed to prevent malicious code from sending arbitrary requests to a bank server; I am not sure it is easy, though.
Does anyone want to upvote it on Bugzilla?
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.
True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.
True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:15.0) Gecko/20100101 Firefox/15.0.1