💾 Archived View for rawtext.club › ~sloum › geminilist › 001733.gmi captured on 2020-09-24 at 01:41:00. Gemini links have been rewritten to link to archived content

View Raw

More Information

-=-=-=-=-=-=-

<-- back to the mailing list

CSRF in Gemini

Francesco Gazzetta fgaz at fgaz.me

Tue Jun 16 10:23:13 BST 2020

- - - - - - - - - - - - - - - - - - - 

On Mon, 15 Jun 2020 14:30:07 +0000solderpunk <solderpunk at SDF.ORG> wrote:

It's perhaps a little bit tedious for users, but the simplest
solution I can think of for things like this is a convention that all
requests which trigger side-effects (like comments, etc.) must be
made with a client certificate, because that will make it very clear
to the user that something is happening and no surprises are possible.

Doesn't this imply that all requests with a client cert will have to beconfirmed by the user?

I strongly suspect that completely preventing this kind of thing will
be impossible if we simultaneously insist on a simple protocol and a
frictionless user experience - in which case, everybody knows which
one will be prioritised. :) But if we can somehow pull off both at
once that will be best.

Of course, which is why I wrote

But this would require a separator, and we all know where this leads.

:)

Still, I don't think this is a matter of frictionless user experience,more like... developer ux? Unless we find something simpler than nonces.