[security] Open Redirector issue with checkid_immediate
Andrew Arnott
andrewarnott at gmail.com
Tue Jun 9 03:13:24 UTC 2009
I don't think browser javascript can manipulate the Referrer header. So it
seems like a reasonable precaution to me to check it.
--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - S. G. Tallentyre
On Mon, Jun 8, 2009 at 7:26 PM, SitG Admin
<sysadmin at shadowsinthegarden.com>wrote:
> If his is used on a web site it seems like a lot of trouble to go to.
>> They are all ready on a bad site.
>>
>
> If the site is bad, couldn't it also be sending the user's browser a script
> to spoof referer?
>
> I suspect the major threat is from email links. In that case there would
>> be no referrer and the OP could detect that.
>>
>
> It could also detect people who are browsing through proxies (or modified
> browsers) to strip the referer information for their privacy.
>
> "Hi, we've detected that your privacy settings prevent our software from
> working. To continue using OpenID, please follow these instructions to
> reduce your privacy on the internet."
>
> -Shade
> _______________________________________________
> security mailing list
> security at openid.net
> http://openid.net/mailman/listinfo/security
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-security/attachments/20090608/af915c74/attachment.htm>
More information about the security
mailing list