|
MALE SHOEGAZE posted:wait so if I have a database or webapp running on localhost, some random javascript from the web can access that and download data and then send it back to wherever? no, unless you configure the local service to permit it, via CORS headers E: similarly, something awful dot calm can't fire off a request to gmail and get your mail. cross-origin requests aren't permitted to read responses into script unless the site explicitly opts into it Subjunctive fucked around with this message at 13:38 on Jan 12, 2018 |
#
¿
Jan 12, 2018 13:24
|
|
|
|
| # ¿ May 13, 2024 23:43 |
|
|
MALE SHOEGAZE posted:gee i wonder how most webservers are configured. uh, what web servers are configured with permissive CORS? repeating my edit: similarly, something awful dot calm can't fire off a request to gmail and get your mail. cross-origin requests aren't permitted to read responses into script unless the site explicitly opts into it localhost isn't special, and shouldn't be
|
|
#
¿
Jan 12, 2018 13:39
|
|
|
MALE SHOEGAZE posted:sorry, i didn't mean to say that apache/nginx allow permissive cors, but rather ye old rails app trying to integrate with a SPA running on node. sure, how are most of them configured? if you're running rails anywhere (including localhost, which would be an odd choice I think) then having open CORS means you can get hit by an arbitrary site. it has nothing to do with localhost
|
|
#
¿
Jan 12, 2018 13:46
|
|
|
ohgodwhat posted:Didn't we just see a bug report on a service with permissive CORS running on localhost? sure, but it'd be the same bug if it were running on whatever.com, which also happens. a browser won't just bridge arbitrary origins, an explicit software-level (vs configuration) secfuck is required
|
|
#
¿
Jan 12, 2018 13:55
|
|
|
Cocoa Crispies posted:does CORS prevent js-triggered or user-initiated form submissions from happening, or just their result being visible to js? forms can be submitted cross-origin, but results aren't visible. this is where CSRF comes from, and the use of request tokens. many frameworks already handle that stuff for you. all the origin architecture around form submission predates CORS by...a decade? it would actually be a huge pain to change even if you could wave a wand on compatibility, because post-to-other-server-when-non-submit-button-pressed is a very common and useful pattern CORS shouldn't prevent any user-initiated action, fwiw ymgve posted:as far as I understand it's the other way around - if there's no CORS policy present in the localhost site headers, the browser will not allow javascript to communicate with it correct
|
|
#
¿
Jan 12, 2018 15:29
|
|
|
ymgve posted:also this puts the burden of restricting on the browser, so if you have a non-sane browser, like IE5 for some reason, you might still be vulnerable IIRC IE5's proto-XHR didn't allow any xdomain requests, other than through their trust zone bullshit. oh, and the still-to-this-day ignoring of port number in the origin 
|
|
#
¿
Jan 12, 2018 15:48
|
|
|
Progressive JPEG posted:Google are just blindly assuming useragent Firefox == no support Google does naive user-agent poo poo all the time
|
|
#
¿
Jan 12, 2018 19:30
|
|
|
vOv posted:sometimes just sending the request can be enough even if you don't get to read the response sure, but in that case a redirect or image tag works
|
|
#
¿
Jan 13, 2018 13:56
|
|
|
Cocoa Crispies posted:not for a POST? oh, fair enough
|
|
#
¿
Jan 13, 2018 14:07
|
|
|
Shaggar posted:yeah it sounds like they may be trying to come up with a set of standards for disclosure processes so people aren't left out which on the one hand makes sense. having CERT act as a clearing house for the disclosure from the start could be good and would also have the benefit of shifting liability for the disclosure off the companies involved. On the other hand how much do you trust the feds to handle security on your behalf? didn’t CERT used to do this in the 90s? I’m pretty sure we worked with them on some embargoed issue.
|
|
#
¿
Jan 25, 2018 02:55
|
|
|
spankmeister posted:They still do, not only US-CERT but also Carnegie Mellon CERT aka CERT/CC. I've worked with both extensively on certain hyped vulnerabilities. (And non-hyped but arguably worse vulns lol) yeah, I was thinking of US-CERT, my bad
|
|
#
¿
Jan 25, 2018 09:23
|
|
|
anthonypants posted:i'm pretty sure hipaa isn't prescriptive and that you're thinking of fips certification ugh loving FIPS
|
|
#
¿
Jan 25, 2018 20:04
|
|
|
are clandestine military forces at a civilian facility going to jog around the base in formation every morning? maybe do push-ups together in the courtyard?
|
|
#
¿
Jan 28, 2018 18:07
|
|
|
Trabisnikof posted:You haven’t been to the perimeter of many us weapons labs I take it the two I’ve been to were pretty obvious
|
|
#
¿
Jan 28, 2018 19:04
|
|
|
cheese-cube posted:no i havent but im sure they dont have loving bike paths Livermore and PNNL do, actually
|
|
#
¿
Jan 28, 2018 19:04
|
|
|
Trabisnikof posted:They just usually don’t let you sit at fence with binoculars for hours without getting someone’s attention I sat in a car across from the Livermore staff entrance for 2 hours once, undisturbed. no binoculars though
|
|
#
¿
Jan 28, 2018 19:15
|
|
|
Cocoa Crispies posted:or it means someone on tv news said "hardened network" too many times and convinced the dumbest person in the white house to ask for it this right here
|
|
#
¿
Jan 29, 2018 15:50
|
|
|
pseudorandom name posted:iirc, Windows Update uses TLS integrity but not encryption, which is forbidden by the HTTP/2 spec the spec doesn’t mean you’ll get arrested if you don’t follow it, just that you won’t interoperate. they don’t care about interoperation, so it’s just as fine as if they’d used a totally custom protocol
|
|
#
¿
Jan 29, 2018 21:18
|
|
|
if you can’t do the time, don’t do the browsing
|
|
#
¿
Jan 30, 2018 01:28
|
|
|
MononcQc posted:eh, to me it's more about the measures developers should probably take to protect their users' privacy because seemingly minor things (like a tracking cookie, for example), could be used by authoritarian regimes to purge people. what would protecting their users' privacy look like in this case?
|
|
#
¿
Jan 30, 2018 17:09
|
|
|
Cocoa Crispies posted:selectively lower the resolution based on the number of individuals that have worked out in an area the post I was responding to was talking about a tracking pixel, not Strava
|
|
#
¿
Jan 30, 2018 19:24
|
|
|
yes, good, very practical. thanks
|
|
#
¿
Jan 30, 2018 19:28
|
|
|
|
| # ¿ May 13, 2024 23:43 |
|
|
what mail client doesn’t behave that way?
|
|
#
¿
Jan 30, 2018 20:22
|
|