Java linux HTML qmail C++ PHP Debian MySQL ASP JavaScript perl Delphi NetBSD Solaris etc etc etc [...]






Page: 1 2 3 4 5 6 7 8


Comments:
<Lfe> me too :(
<Lfe> ill bench myself then :p
<DRMacIver> Morning
<Lfe> hey
<litage> b0at: so form-tokens as we were discussing earlier wouldn't prevent XSS, but would prevent CSRF
<litage> correct?
<DRMacIver> Hmm
<DRMacIver> Isn't it possible to fake the desired behaviour pretty effectively with some server side scripting?
<DRMacIver> Getting content from other domains I mean
<litage> DRMacIver: i asked that of b0at earlier and he said that browsers prevent that behaviour
<DRMacIver> litage: Right. That's why I said fake it.
<litage> ah =P
<wyrd33> you know.. i been lookin for useful things to do with ajax, and realized that on virtually ever web site out there, voting polls are a perfect situation where ajax would be useful
<DRMacIver> Just pass a parameter to a trivial server side script to locally mirror the content and refer to that instead of the remote version.
<b0at> The latter, not really, unless you're looking at things like having the same ip from request to request
<b0at> Right. The scraping server can feed its user the valid token



<litage> b0at: how would the scraping server obtain the form-token on behalf of the user? the scraping server would need the user's session cookie
<kaaaa> Is it possible to override the function called when ctrl+z is pressed in a browser?
<b0at> Ok, with a cookie they couldn't... unless the server was acting as a proxy
<b0at> But then what does the token do for you that the or a cookie can't? (I obviously haven't thought much about this)
<DRMacIver> kaaaa: I think that's the sort of thing which the OS catches before it ever reaches the browser.
<b0at> DRMacIver: No, it's handled by the browser
<kaaaa> Ok
<b0at> by the individual application
<kaaaa> Ok
<kaaaa> so do u see any way pf overriding the functionality?
<b0at> But most of the time, you can't override that. Opera has a special mode for access keys, though.
<kaaaa> Ok
<DRMacIver> b0at: Really? Ok. I stand corrected.
<b0at> In a Java applet, for example, you could map ctrl+z to fire missles
<b0at> The browser lets all input pass into the applet
<kaaaa> Ok
<DRMacIver> I guess what I really meant is that I thought it behaved in the normal way before any javascript got its hands on it.
<DRMacIver> Which is obviously not what I said. Never mind. I suck. :)
<kaaaa> so its nt possible to get hold of before the browser?
<kaaaa> :)
<DRMacIver> What I want to know is what genius thought a layout relying heavily on floats was a good idea for an IE application...
<DRMacIver> (Oh yeah. That would be me.)
<DRMacIver> IE targetted application even
<litage> b0at: in your last message to me, you left out a word after "for you that the": But then what does the token do for you that the or a cookie can't?
<b0at> "that the or a cookie can't"
<b0at> i.e., that the main session cookie or some specific-purpose cookie can't
<litage> b0at: if there's a "main session cookie" and no form-token, then a user who's logged in could click on a link located on another site that points to a url such as http://yourdomain.com/logout.php
<litage> b0at: that's a CSRF
<b0at> hm
<litage> b0at: however, if logout.php requires a form-token, then clicking on that url on someone else's site will simply say "sorry, your request was rejected" because the user didn't send the form-token
<b0at> You could require referrer logging
<b0at> sending
<litage> b0at: the referrer can be spoofed very easily
<b0at> Yes, but by users, not by other sites
<litage> b0at: since javascript can't slurp (or curl) the content of a remote page, a script on a remote site will not be able to grab the form-token on behalf of the user
<litage> b0at: other sites can easily spoof referrers to. it's trivial with any language
<b0at> How?
<litage> b0at: bob logs into yourdomain.com and a session cookie is given to him
<litage> b0at: bob then goes to remotesite.com, which curls yourdomain.com/logout.php and sends a fake referrer
<b0at> That remote site doesn't have access to bob's cookie
<litage> sorry, that was a terrible explanation/example
<litage> correct
<b0at> The UA determines what referrer to send, and if it's passing the linked-from uri then that previous site can't fake logout.pl into thinking they came from its own domain
<b0at> Now, if people are sending referrers that match the current site no matter what, then it might be able to log them out. But that behavior is still the user's decision
<litage> b0at: many people elect to not send a referrer
<b0at> indeed
<litage> b0at: which means that you can't rely on checking the referrer to ensure that the request came from your domain
<b0at> Unless you tell them up front about it and fail to work unless a referrer is sent (slightly inconvenient, but not much)
<litage> b0at: ah yes, that's true
<litage> b0at: however, the referrer can easily be spoofed with javascript
<b0at> How?
<litage> b0at: i barely know javascript, but i've read several blogs, mailing list posts and articles that say it can be done
<b0at> I wouldn't trust them
<b0at> You can _read_ the referrer from script
<b0at> I don't know what you can do with XHR, but that's still limited to the current domain
<tittof> it is possible to spoof referer
<b0at> tittof: With client-side, unprivileged script? How?
<litage> 'fraid i've gotta be off. late for heading out to see a band. b0at i'll be in this channel over the weekend, so maybe we can continue this discussion later
<litage> btw, thanks for your input b0at
<b0at> Ok, later



<ankur> Hi, can I click a hyperlink using javascript?
<b0at> ankur: You can go to its href and run its onclick/onkeypress events
<ankur> okk
<b0at> location.href = anchor.href; or if( !anchor.onclick || anchor.onclick() ){ location.href = anchor.href; }
<b0at> which takes account onclick's return value
<b0at> And you can do the same with any other events that would trigger the anchor and might be defined
<tittof> b0at: seems like you were right. Not with javascript.
<Lfe> is it possible to manipulate document.referrer then?
<b0at> Lfe: It won't do anything
<Lfe> well, that wouldn't help :]
<b0at> If it's stored as a regular string, you might be able to modify it (which would be interesting for a gm script fooling in-page scripts that use it), but the browser doesn't care
<tittof> isnt referer send within the header?
<tittof> erm get request
<b0at> Yes, the HTTP_REFERER header
<Lfe> the document.referrer just picks it up, never used.
<tittof> of course you could always use something like http://refspoof.mozdev.org/faq.html
<b0at> Indeed, and that's the user's doing
<ankur> b0at: actually, that hyperlink itself is invoking some javascript i believe...
<b0at> Script in href is pointless and an abuse of an anchor
<ankur> it's gmail code actually, the select all hyperlink
<b0at> And I don't know if setting location would work or not for that. It might.
<b0at> If it didn't, I guess you could s/^\s*javascript\s*:// and eval the code... bleh
<b0at> Although, .click() might work...
<Lfe> ill be gone, have a nice mid-summer weekend :]
<tittof> isnt that the time when scandinavian ppl get more drunk than usual?
<Super-Fly> Do I use document.getElementById('address').className = "error"; if I want to change the class of a <input id="address" ... > item?
<deltab> Super-Fly: yes (replacing the existing classes)
<b0at> `js class # may help
<RTFS> js class: http://phrogz.net/JS/AddClassKillClass_js.txt
<Super-Fly> it's saying that it doesn't have properties
<b0at> Then the element doesn't exist (yet) with that id
<b0at> `js onload # This may be the problem
<RTFS> js onload: www.edea.se/Onload
<Super-Fly> oh, yea, an id="" wasn't set on these inputs
<Super-Fly> wow, that was a waste of time
<Super-Fly> thanks b0at
<Super-Fly> it's still not working, but at least I don't get errors now
<tiglionabbit> hey javascripties, is there a simple way to round a number to the nearest cent?
<b0at> .toFixed(2)
<tiglionabbit> thank you
<tiglionabbit> so uh, I'm finding I have to do some major referencing on all of the values in my form. I'd been doing document.getElementById on all of them already, but now I'm grabbing the IDs of about 30 different things. Is there an easier way to check which radio buttons are selected in a form?
<MikeD_> tiglionabbit - easier than what?
<tiglionabbit> easier way to get at those values than document.getElementById. Well, easier as in less text
<tiglionabbit> from my form
<MikeD_> url?
<MikeD_> form.inputname.value maybe (if all the radio buttons have the same name, with different values)
<tiglionabbit> they do
<tiglionabbit> hm
<tiglionabbit> that sounds much better
<tiglionabbit> replace 'form' with the name of the form, or id, or what?
<tiglionabbit> also, can I make something part of a form's inputs even if it's just plain text?
<MikeD_> i usually put an id on the form so i can get a handle to the form object with var frm = document.getElementById("formid"); then if( frm) { alert( frm.radioname.value ) }
<tiglionabbit> ah
<tiglionabbit> plain text that changes based on what other inputs are selected
<MikeD_> you can use <input type='hidden' id='secretStuff' /> then reference document.getElementById("secretStuff").value = "hidden data to submit here" ;
<tiglionabbit> I don't want it to be hidden
<tiglionabbit> I have a form where there's a price field that updates automatically based on what other things you've selected
<MikeD_> you'd probably want a name attribute on that input so the webserver knows what to call it - then don't make it hidden, use type='text'
<tiglionabbit> oh
<MikeD_> you don't want to trust the client-side calculated price on the webserver - recalculate it server-side
<tiglionabbit> okay. But I need to display it client side
<MikeD_> sure
<tiglionabbit> also, there are a few temporary price fields I wont need later-- can I make a text input not be submitted with the other data? heh doesn't matter a lot though-- I could just ignore it
<tiglionabbit> wait no, I don't want a text input. I'd just like to tie a bit of plain text to the form for easier access, so I don't have to getelementbyid so much
<MikeD_> i don't understand what you mean
<MikeD_> if the data is not in a control inside the <form> tag, then it won't be submitted
<MikeD_> if you just don't want to type document.getElementById - alias it: var gEBI = document.getElementById ; use gEBI("myid");
<Ratty_> heh, crashes safari: var log = console.log;
<MikeD_> does that attempt to get the errors reported to the js console?
<Ratty_> console.log() is for sending messages to the js console
<Ratty_> firebugs console is much better
<MikeD_> does it crash if you use a different variable name?
<Ratty_> it crashes with any variable for me
<MikeD_> 'just curious if the problem was with the potentially reserved "log" keyword


Name:

Comments:

Please enter the result of the sum 63 + 46 (to avoid spam):






Return to #javascript
or
Go to some related logs:

lisp
Additional sense indicates Warning
linux
centos
sendmail
css
fatal error 104 ubuntu
perl
gparted destroyed partition table
Application tries to create a window, but no driver could be loaded. Make sure t