evan_tech

Previous Entry Share Next Entry
05:31 pm, 26 Jan 06

livejournal cookie stealing

Great summary* of the LiveJournal security situation: "Due to the fact that we cannot clean every external CSS stylesheet linked to every time we generate a journal page, this change is required. [...] With Mozilla deciding to allow the execution of arbitrary JavaScript via CSS, there is no other viable solution than the one we have undertaken."

My takeaway is that it's pretty much impossible to let your users simultaneously (a) create their own personal pages (b) on a site where other users have identities managed by cookies.

This was one of the reasons blogspot could let users have arbitrary JS: it's a totally separate domain, so there's nothing to worry about. ...or is there? [cue ominous music] (To tell the truth, I have no confidence either way.)


* David always trips me out because he's like 12 years old and sorta looks like a big kid but comes across as totally competent in text.