Comments (8)
Why do you need csrf protection here? An audience is embedded in the assertion that is already short lived. What's the exploit here? (apologies in advance for being dense)
from persona.
I was actually wondering the same thing, but I figured that I just didn't understand the protocol well enough. It does sorta run circles around my head, but that's why I figured a definitive answer should be somewhere in the developer guide (or an FAQ or somesuch).
from persona.
@benadida plz hop in and comment here.
If resolution is that there is nO real benefit to csrf here, I'm ok with docing, but would like to tuck it away in a FAQ and the sample code.... In the interest of keeping tutorial tight.
from persona.
There is actually an attack, specifically a login CSRF attack. Attacker forces victim (in invisible iframe) to log in as the attacker. Victim doesn't notice, enters secret information in web site, attacker can now see the data entered. Details here:
http://seclab.stanford.edu/websec/csrf/csrf.pdf
So in fact I think we do we need to urge CSRF protection at the moment of passing the assertion back to the server. This is non-trivial to describe. Lloyd, you've been writing excellent dev docs, do you want to try here, or should I?
from persona.
thanks for that link, @benadida. I'm a tad more sparse now. (OT: It seems like referrer validation should be sufficient to harden our internal wsapi, a hole that's been bothering me, and now seems very simple to plug)
As far as documenting best practices for how the RP should get assertions up, where do you think we ought to doc that? I feel like we need to flesh out myfavoritebeer.org and perhaps have a more thorough manual that describes how to build great browserid support using myfavoritebeer as an example?
(General caution though, we should be graceful as we use browserid as a vector to raise awareness of web security. Like in this specific attack, the user must not realizing who they're logged in as. If you're building a comment system on your blog and using browserid, it might be fine to just show gravatars as the user is putting in comments, and rely on this visual cue to mitigate the attack which has no real bite in this case anyway, your comments appears as if they were mine, muhahahha..)
from persona.
referrer checking might be sufficient for us because we're only over SSL, but I would still be more comfortable with more systematic CSRF protection in our forms.
As for where we document it, how about we create an advanced security page on browserid.org where we list the various issues, and we point to this one in a single line on developers.html?
from persona.
added:
https://github.com/mozilla/browserid/wiki/Security-Considerations-when-Implementing-BrowserID
from persona.
Catching up on older, closed issues with the Verified label.
from persona.
Related Issues (20)
- User having difficulty signing up to Mozilla Backpack HOT 1
- localhost app doesn't work in Firefox HOT 3
- bug in log rotation naming in new stage stacks HOT 11
- Primary button font is incorrect
- I cannot build it - (version not found: [email protected]) HOT 2
- Persona delivers the domain of an EMail-Address always with small letters HOT 3
- JavaScript strict warnings from login.persona.org
- Staging forgets registered accounts HOT 1
- "Action: Authenticating with Assertion" error HOT 1
- Verifying assertions on a client-side application
- No way to add an extra email address on login.persona.org? HOT 8
- Continue button isn't enabled when login form is autofilled HOT 1
- CODE_VERSION not being correctly added to build; uses fallback random value HOT 2
- Add an indicator that the loading screen has been displayed for testability
- Vertical line rendering issue on log in animation HOT 1
- Requesting IdP description document from modern HTTP server fails HOT 4
- Build fails due to `relative-date` being removed from NPM
- Undefined index: data in persona_verify() HOT 4
- Keeping Mozilla Persona Alive HOT 1
- Auto logout HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from persona.