Evan Martin (evan) wrote in evan_tech,
Evan Martin

livejournal cookie stealing

Great summary* of the LiveJournal security situation: "Due to the fact that we cannot clean every external CSS stylesheet linked to every time we generate a journal page, this change is required. [...] With Mozilla deciding to allow the execution of arbitrary JavaScript via CSS, there is no other viable solution than the one we have undertaken."

My takeaway is that it's pretty much impossible to let your users simultaneously (a) create their own personal pages (b) on a site where other users have identities managed by cookies.

This was one of the reasons blogspot could let users have arbitrary JS: it's a totally separate domain, so there's nothing to worry about. ...or is there? [cue ominous music] (To tell the truth, I have no confidence either way.)

* David always trips me out because he's like 12 years old and sorta looks like a big kid but comes across as totally competent in text.
Tags: livejournal

  • memcache job offers

    I get occasional recruiter spam that specifically calls out "my work on memcached". This is pretty funny because all I did was make some trivial…

  • closest computer

    I have a computer in the closet that serves music. I haven't thought much about the computer as I've used it -- I just know it's always available on…

  • application stack

    "Put yourself in 1995. I'm going to tell the you of 1995 that in 2010, there will be a software platform with the following properties:" Luis Villa…

  • Post a new comment


    default userpic
    When you submit the form an invisible reCAPTCHA check will be performed.
    You must follow the Privacy Policy and Google Terms of use.