Felix Queißner felix at masterq32.de
Mon Jun 15 16:05:33 BST 2020
- - - - - - - - - - - - - - - - - - -
Hey!
I just wrote down a few thoughts about cross-site request forgery in Gemini:
Good read! I thought about that as well…
CSRF protection via non-native nonces is ugly, can we do better than
the web?I think one solution would be to force clients to remove queries fromall URLs. It's not a really elegant solution and makes CGI stuff harderto implement, but will prevent a lot of URL-fuckery. I'm also alwaysscared when clicking links in interactive things, because doublepostings are really easy to achieve with the query appended to URLs.Hitting refresh in your browser to see new posts? You create a new postin the guestbook!
While writing this, i got the following idea (which seams reasonable to me):Specify that a response to INPUT MUST be passed with a query-parameter"?input=…" where "…" is the data from the user. The data is fullyurlencoded with all forbidden characters(space,?,=,…) replaced withtheir percent-encoding.
Also specify that clients SHOULD remove the "input"-parameter betweenredirects and in documents using the gemini-scheme.
This allows us to prevent passing accidential or malicious data viaredirects, but doesn't help against a spam-bot that targets a sitedirectly. It also makes client implementation a bit harder.
Regards- xq