this post was submitted on 10 Jul 2023
419 points (98.6% liked)
Programming.dev Meta
2476 readers
1 users here now
Welcome to the Programming.Dev meta community!
This is a community for discussing things about programming.dev itself. Things like announcements, site help posts, site questions, etc. are all welcome here.
Links
Credits
founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
So what happened:
Am I right?
I'm old-school developer/programmer and it seems that web is peace of sheet. Basic security stuff violated:
Am I right? Correct me if I'm wrong.
Again, web is peace of sheet. This would never happen in desktop/server application. Any of the bullet points above would prevent this from happening. Even if the previous bullet point failed to do its job. Am I too naïve? Maybe.
Marek.
100%. Always act as though user provided content is malicious.
Uh... what? JavaScript is a client-side language (unless you're using NodeJS, which Lemmy is not). Which means JavaScript runs in the browser. And that JavaScript has access to cookies, that's just a basic part of how web browsers work. Lemmy can't do anything to prevent that.
Again, Lemmy can't do anything about that. Once there's a vulnerability that allows an attacker to inject arbitrary JS into the site, Lemmy can't do anything to prevent that JS from making requests.
On the backend you'd still have a single system which kind of defeats the purpose. Unless you're proposing a completely independent backend? Because that would be a massive PITA to build and would drastically increase the system's complexity and reduce maintainability.
Yes and No. Cookies could be accessed by JS on the client. BUT. When the cookie is sent by the server with additional
HttpOnly
header, then the cookie cannot be accessed from JS. Look at Lemmy GitHub issue, they discuss exactly this. Lemmy server absolutely has power to prevent this.I believe they can. But I'm not sure about this one. The server could send a response preventing the web browser to request content from other domains. Banks are using this. There was an attack years ago when attacker created a web page with i-frame in it. The i-frame was full screen to confuse the victim it is actually using the Banks site and not the attacker site. The bank web site was inside the inner i-frame, the code in the outer frame then had access to sensitive data in the inner frame. I believe there are HTTP response headers that instruct the web browser to not allow this. But I'm not sure I remember how exactly this works.
Yes, it would be more costly, but more secure. It is trade-off, which one is more important to you? In case of chat/blog/forum app such as Lemmy I prefer cheap, in case of my Bank website I prefer secure.