[Zope-dev] [RFClet]: What about the request method and the client side trojan?

Oliver Bleutgen myzope@gmx.net
Fri, 12 Apr 2002 16:22:44 +0200


Florent Guillaume wrote:
> Oliver Bleutgen  <myzope@gmx.net> wrote:
> 
>>The issue of client side trojan recently came to my mind again.
>>[..]
>>I think zope's management methods (the potentially destructive ones)
>>should not accept REQUESTs with REQUEST_METHOD "GET".
>>
> 
> I like the idea of trying to secure that kind of things a lot.
> 
> Unfortunately, considering how trivial it is for Javascript code to do a
> POST programmatically, I don't see how that proposal would actually
> help.

Although I repeat myself, implementing this proposal would give me a lot 
of options to prevent myself from this kind of attack, completely or 
partially.

- In Internet Explorer I can disable javascript. (problem solved)
- In Internet Explorer I use the zone restrictions (prevents attacks 
from untrusted servers)
- I can do the same in mozilla
- additionally, in mozilla I can just disable form submitting in 
javascript, with something like (this is surely wrong)
user_pref("capability.policy.default.HTMLFormElement.submit", "noAccess");
Put this your prefs.js file and you are done.


Really, it _would_ help.

cheers,
oliver