💾 Archived View for rawtext.club › ~sloum › geminilist › 006915.gmi captured on 2024-02-05 at 10:54:37. Gemini links have been rewritten to link to archived content
⬅️ Previous capture (2021-11-30)
-=-=-=-=-=-=-
mbays mbays at sdf.org
Tue Jul 13 21:20:28 BST 2021
- - - - - - - - - - - - - - - - - - -
https://gitlab.com/gemini-specification/protocol/-/issues/37
A simple rule, roughly equivalent to SameSite=Strict, could be added to
the spec to help prevent most instances of CSRF (Cross-Site Request
Forgery). The rule can be something like:
When following a URI which is in scope of a client certificate from
a page (or via a redirect) outside of that scope, clients MUST prompt
the user to activate the client certificate for the target URI.
"MUST prompt" seems too strong to me. For redirects an explicit prompt is necessary, but for just following a link into the scope of a new certificate, I think it is sufficient if the link to be presented in a way which makes explicit the precise URI and what certificate would be used for it. (This is how diohsc works currently, and I think it's fine.)-------------- next part --------------A non-text attachment was scrubbed...Name: signature.ascType: application/pgp-signatureSize: 195 bytesDesc: not availableURL: <https://lists.orbitalfox.eu/archives/gemini/attachments/20210713/7fa20754/attachment.sig>