Problem :
I would like to avoid any cross domain request, is there any tricks ?
Context :
Basically, i'm doing an app where users can create packages (mods or extension is the same) and everyone can use them after
But this include of course a huge problem of code injecting .. because i just allow it
So i want to maximize the extensibility of my app by letting everyone do what they want, but in the meantime, i want to minimize the attack possibility
And for now, what i'm afraid of is data sharing with other sites
Example :
My site will use cookies for identification, if a package can read cookie and send it to any website, the attacker could have access to the session id
Or just with a CSS stylesheet, you can ask for an image on another website, that will record any access data (ip, user agent etc) so i don't want any of that. I heard about reddit that disallow any external resources in users themes, how do they do that ?
Question :
Is there some kind of way to detect if a path is in the same domain with regex maybe, does matching with the next regex is enough? /^\s(?:[a-z]+:)?/// yeah i know it's ugly, but it detect if there is a protocol like http:// or ftp:// or anything like that, so the path is in any way relative to the domain
And finaly is there any other obvious security risks ?
Thanks
Aucun commentaire:
Enregistrer un commentaire