I want my service to have such a feature: author can fully customize the page, but can't steal users' cookies.
Tumblr had some troubles with that, but solved them successfully http://www.riyazwalikar.com/2012/07/stored-persistent-xss-on-tumblr.html
So I need the solution with
- no moderation
- full access to html code of pages for users-authors, don't want white-list filtering and templating language (that is how it works now :( )
- no opportunity to steal each others cookies (on pages of other authors)
- centralized authentication db
- desirable: without authentication on each authors page
As I understand tumblr:
- separate domains without access to cookies of each other
- users are still authenticated on each subdomain (HOW??? www.tumblr.com js has access to main session cookies? Is that secure?)
- auth cookies should be httponly?..
Can I have secure and comfortable for users solution? Is cookie-theft the main issue of full access to html?
I want my service to have such a feature: author can fully customize the page, but can't steal users' cookies.
So I guess that you want to enable javascript for them but you do not want to allow manipulating cookies. This should be simple: just place it before the user's page loads:
if (document.__defineGetter__)
{
document.__defineGetter__("cookie", function () { return ""; } );
document.__defineSetter__("cookie", function () { } );
}
else // IE
{
Object.defineProperty(document, "cookie",
{
get: function () { return ""; },
set: function () { return true; },
});
}
users are still authenticated on each subdomain (HOW??? www.tumblr.com js has access to main session cookies? Is that secure?)
This is also simple - cookies supports this. Its domain attribute:
Set-Cookie: name=value; path=/; domain=.example.com
auth cookies should be httponly?..
Of course - they should be for the better security.
来源:https://stackoverflow.com/questions/16267847/user-editable-html-xss-protection-tumblr-like