💾 Archived View for rawtext.club › ~sloum › geminilist › 006881.gmi captured on 2023-12-28 at 16:14:44. Gemini links have been rewritten to link to archived content
⬅️ Previous capture (2021-11-30)
-=-=-=-=-=-=-
Alice lia at loveisanalogue.info
Sat Jul 10 11:27:34 BST 2021
- - - - - - - - - - - - - - - - - - -
On 9 July 2021 23:25:47 BST, nothien at uber.space wrote:
The reason that HTTP/HTML does not suffer from this problem is twofold.
Firstly, HTML is interactive, and so whenever such an action is
performed, the user can be interactively requested to confirm their
intention. Secondly, when the action is performed directly (e.g. by
using HTTP POST to the relevant URL), the attacker doesn't have access
to the necessary cookies to authorize the action.
HTTP does suffer from the same problem - because cookies are sent automatically. To prevent this HTTP requests typically use a "CSRF" token - an extra, random piece of text that is included in forms every time they are generated, and which the server tests against.
Gemini could easily use the same approach: the page that generates the "delete your account" link can add a random string in the query string. The server can then tests for the presence of that query string.
Because it's generated randomly every time the page is generated, attackers can't guess it. The CSRF token should have a limited life time.
:)Alice-- Sent from my Android device with K-9 Mail. Please excuse my brevity.-------------- next part --------------An HTML attachment was scrubbed...URL: <https://lists.orbitalfox.eu/archives/gemini/attachments/20210710/5cd9608b/attachment.htm>