Evan Martin (evan) wrote in evan_tech,
Evan Martin
evan
evan_tech

livejournal cookie stealing

Great summary* of the LiveJournal security situation: "Due to the fact that we cannot clean every external CSS stylesheet linked to every time we generate a journal page, this change is required. [...] With Mozilla deciding to allow the execution of arbitrary JavaScript via CSS, there is no other viable solution than the one we have undertaken."

My takeaway is that it's pretty much impossible to let your users simultaneously (a) create their own personal pages (b) on a site where other users have identities managed by cookies.

This was one of the reasons blogspot could let users have arbitrary JS: it's a totally separate domain, so there's nothing to worry about. ...or is there? [cue ominous music] (To tell the truth, I have no confidence either way.)


* David always trips me out because he's like 12 years old and sorta looks like a big kid but comes across as totally competent in text.
Tags: livejournal
Subscribe

  • no go

    Two friends of mine were pretty enthusiastic about the Go language, so I tried writing a program in it yesterday. It is frustrating because despite…

  • playing with vala

    I actually was toying with making something like Vala back in college. It's pretty cute. Much like using the sane subset of C++, as you write code…

  • chromium.el

    This weekend I wrote some Emacs Lisp to write some utility functions I find useful for hacking on Chromium. It's fun to have a reason to use Lisp!…

  • Post a new comment

    Error

    default userpic
    When you submit the form an invisible reCAPTCHA check will be performed.
    You must follow the Privacy Policy and Google Terms of use.
  • 2 comments