From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!.POSTED.blaine.gmane.org!not-for-mail From: "pelzflorian (Florian Pelz)" Newsgroups: gmane.lisp.guile.user Subject: Re: mailmam, web bridge, forum, p2p (was: Diversification) Date: Thu, 24 Oct 2019 14:30:23 +0200 Message-ID: <20191024123023.rvedpc5uqrm5ku6v@pelzflorian.localdomain> References: <-IsD5PBFie-kW2VJSYNHx00LodtSHflKNWtY2vjNVQDN126iTMsqHrdxl8zeWE8a53TzM_27wskjsrylIh4bN5jIGVNYOBC6zmE3p1RGyBg=@protonmail.com> <20191023064813.6igo2qi2cwtcz5bz@pelzflorian.localdomain> <20191023113724.bf055453852ec206af8d7bef@gmail.com> <20191023112544.5s65wrzbexnlsj22@pelzflorian.localdomain> <20191023123343.wanooc44orpyo7tk@pelzflorian.localdomain> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="dfr5jp5k473jhh23" Content-Transfer-Encoding: 7bit Injection-Info: blaine.gmane.org; posting-host="blaine.gmane.org:195.159.176.226"; logging-data="192753"; mail-complaints-to="usenet@blaine.gmane.org" User-Agent: NeoMutt/20180716 Cc: Guile User To: Amirouche Boubekki Original-X-From: guile-user-bounces+guile-user=m.gmane.org@gnu.org Thu Oct 24 14:49:12 2019 Return-path: Envelope-to: guile-user@m.gmane.org Original-Received: from lists.gnu.org ([209.51.188.17]) by blaine.gmane.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from ) id 1iNcYB-000o0b-GZ for guile-user@m.gmane.org; Thu, 24 Oct 2019 14:49:11 +0200 Original-Received: from localhost ([::1]:41510 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1iNcY9-0005xx-HL for guile-user@m.gmane.org; Thu, 24 Oct 2019 08:49:09 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:47040) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1iNcG4-0003k2-8I for guile-user@gnu.org; Thu, 24 Oct 2019 08:30:30 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1iNcG2-0003Ac-IM for guile-user@gnu.org; Thu, 24 Oct 2019 08:30:28 -0400 Original-Received: from pelzflorian.de ([5.45.111.108]:33006 helo=mail.pelzflorian.de) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1iNcG1-0003A2-UE for guile-user@gnu.org; Thu, 24 Oct 2019 08:30:26 -0400 Original-Received: from pelzflorian.localdomain (unknown [5.45.111.108]) by mail.pelzflorian.de (Postfix) with ESMTPSA id DDBA33604DA; Thu, 24 Oct 2019 14:30:23 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=pelzflorian.de; s=mail; t=1571920224; bh=EXyOOThha9kscI3I3iD58jGSQ5lOPvheC2l9T0dYcGU=; h=Date:From:To:Cc:Subject:References:In-Reply-To; b=jH4HHBB1G7sjeN2YHsK3PHvJYgbZwoRvcD4VFbiKbc1g2tGmSVSH74Euj6PZF/IFq +h9LRHAcWRzGBkYP7OCwZjxkyRJF0x7X+Wyl+ynNMTZXR9sd6tjvMaijJUYpKeUNs0 o/HPE/H1aQwmizg4U55EEtVAFpjwG3Ei4w/kVojk= Content-Disposition: inline In-Reply-To: X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 5.45.111.108 X-BeenThere: guile-user@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: General Guile related discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guile-user-bounces+guile-user=m.gmane.org@gnu.org Original-Sender: "guile-user" Xref: news.gmane.org gmane.lisp.guile.user:15814 Archived-At: --dfr5jp5k473jhh23 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Oct 24, 2019 at 11:35:52AM +0200, Amirouche Boubekki wrote: > Last time I checked the security requirements for web application that > do not rely on JavaScript was too complicated. I preferred to forget > about it. >=20 > See https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_F= orgery_Prevention_Cheat_Sheet.html >=20 > The easiest path is (was?) to rely on a token sent by JavaScript. > Meanwhile JavaScript brings other problems... I refuse to believe Javascript is in any way necessary. The link you provided contains all information I previously had of tokens and more; it is a good reference. I did not know login CSRF before, it is very relevant, thank you. My current impression of best practice fits what is described at the site you linked under =E2=80=9CDisclosure of Token in URL=E2=80=9D: Ordinary HTTP cookies are bad practice for session tokens because of CSRF. If you want a normal link to another page on your site but retain the login session, you should not use cookies for that. Session tokens must therefore be supplied in HTTP parameters (GET or POST). So when a logged in user makes a request, all hyperlinks in the HTML response (except logout) need to have their HTML code rewritten by the dynamic web server to contain the session token in the GET parameters. Similarly, all POST forms should contain the session token as a parameter value. Thus the session token is only supplied in GET or POST requests from the same site and same session and no CSRF is possible anymore. Since the URL used in a GET request will be exposed to the user, the session token should be invalidated after verification and the response should contain a new session token in its HTML code for hyperlinks and forms. The downside is that URLs are less pretty but meh=E2=80=A6 Invalidating tokens requires the server to store for each registered user the current session id and the timestamp until which the session id is valid. The same user could not be logged in simultaneously from multiple browsers. To enable multiple simultaneous logins by the same user, the server could instead store more sessions than it has users, but this might enable denial of service. Or the server could instead use what the site you linked describes as =E2=80=9CEncryption based Token Pattern=E2=80=9D to not have this problem. But then no token invalidatio= n is possible, so instead of GET requests we would need to use HTTP POST for every hyperlink which is sometimes bad for the browser to deal with. Because of login CSRF the Referer header should also be verified for all links internal to the website (external links should strip the Referer header via redirect pages similar to what the code attached to this mail does). I do not know what Artanis does currently. I will check next week. > It seems to me the > browser paradigm with the _JavaScript_ wanna be sandbox is the wrong > way forward. A sandbox does not guarantee security from hardware bugs like Rowhammer or Spectre (but neither do multi user setups). Also a sandbox does not protect your computer from mining bitcoins for someone else in a sandboxed environment. It also permits bad, battery-draining code. Perhaps more importantly, JavaScript has all kinds of privacy implications and encourages users to run nonfree code. > I would much prefer the modern approach where a peer > expose an API and people build clients. > Many enterprises offer not APIs but non-downloadable JavaScript service as a software substitute. > There is proof of concept bulletin board using gnunet > https://git.gnunet.org/gnunet-guile2.git/tree/prototypes/c3b2 > That is interesting. I will check. Regards, Florian --dfr5jp5k473jhh23 Content-Type: application/vnd.lotus-screencam Content-Disposition: attachment; filename="web-redirector.scm" Content-Transfer-Encoding: quoted-printable ;;; Copyright =C2=A9 2019 Florian Pelz=0A;;;=0A;;; This website=E2=80=99s c= ode (but not content) is free software; you can=0A;;; redistribute it and/o= r modify it under the terms of the GNU=0A;;; General Public License as publ= ished by the Free Software=0A;;; Foundation; either version 3 of the Licens= e, or (at your option)=0A;;; any later version.=0A;;;=0A;;; This website is= distributed in the hope that it will be useful,=0A;;; but WITHOUT ANY WARR= ANTY; without even the implied warranty of=0A;;; MERCHANTABILITY or FITNESS= FOR A PARTICULAR PURPOSE. See the GNU=0A;;; General Public License for mo= re details.=0A;;;=0A;;; You should have received a copy of the GNU General = Public License=0A;;; along with this website. If not, see=0A;;; .=0A=0A(use-modules (haunt html)=0A (web re= quest)=0A (web response)=0A (web server)=0A = (web uri))=0A=0A(define (handle-external-request request request-body)= =0A (cond ((not (eq? (request-method request) 'GET))=0A (values (b= uild-response #:code 403)=0A "Redirector only accepts GET r= equests."))=0A ((not (string-suffix? "/redirect" (uri-path (request-= uri request))))=0A (values (build-response #:code 403)=0A = "Redirector only accepts requests for /redirect?=E2=80=A6 URLs."))= =0A (else=0A (let* ((query-alist (get-query-alist request))= =0A (redirect-url (assoc-ref query-alist "url")))=0A = (if (string? redirect-url)=0A (values '((content-type . (t= ext/html)))=0A (sxml->html-string=0A = `((doctype "html")=0A ;; height um vertikal= zu zentrieren=0A (html (@ (style "height: 100%"))= =0A (head=0A (meta (@ = (charset "utf-8")))=0A ;; URL wird automatisch d= ank Scheme bereinigt.=0A (meta (@ (content=0A = ,(string-append=0A = "3;url=3D"=0A redi= rect-url))=0A (http-equiv "refresh")))= =0A (meta (@ (name "viewport" )=0A = (width "device-width")=0A = (initial-scale 1)=0A (shrink-= to-fit "no")))=0A (title "Redirecting=E2=80=A6")= )=0A (body=0A ;; displ= ay:table used to center text vertically=0A (@ (s= tyle ,(string-append=0A "display: ta= ble;"=0A "height: 100%;"=0A = "width: 100%;"=0A = "margin: 0;")))=0A (div=0A = (@ (style ,(string-append=0A = "text-align: center;"=0A = "display: table-cell;"=0A "vert= ical-align: middle;")))=0A ,(string-append=0A = "Redirecting to: "=0A = redirect-url)))))))=0A ;; else: no redirect-url given= =0A (values (build-response #:code 403)=0A = "No redirect URL given."))))))=0A=0A(let ((sock (socket PF_UNIX SOCK_ST= REAM 0)))=0A (begin=0A (bind sock AF_UNIX "redirector.sock")=0A (run= -server handle-external-request 'http `(#:socket ,sock))))=0A --dfr5jp5k473jhh23--