livejournal cookie stealing: evan_tech

livejournal cookie stealing

Great summary* of the LiveJournal security situation: "Due to the fact that we cannot clean every external CSS stylesheet linked to every time we generate a journal page, this change is required. [...] With Mozilla deciding to allow the execution of arbitrary JavaScript via CSS, there is no other viable solution than the one we have undertaken."

My takeaway is that it's pretty much impossible to let your users simultaneously (a) create their own personal pages (b) on a site where other users have identities managed by cookies.

This was one of the reasons blogspot could let users have arbitrary JS: it's a totally separate domain, so there's nothing to worry about. ...or is there? [cue ominous music] (To tell the truth, I have no confidence either way.)

* David always trips me out because he's like 12 years old and sorta looks like a big kid but comes across as totally competent in text.

Post a new comment
Error
We will log you in after post

We will log you in after post

We will log you in after post

We will log you in after post

We will log you in after post

Anonymously

switch

LiveJournal

Facebook

Twitter

OpenId

Google

MailRu

VKontakte

Anonymously

default userpic

When you submit the form an invisible reCAPTCHA check will be performed.
You must follow the Privacy Policy and Google Terms of use.

Preview comment

Help
2 comments

Post a new comment
2 comments

Log in

livejournal cookie stealing

Error