Comments for RETURN $ecure;

Comment on Opera to support HttpOnly by Jim Manico

Jim Manico — Sun, 21 Dec 2008 13:05:46 +0000

Shame that Opera still leaks HTTPOnly cookies via XMLHTTPRequest.getAllResponseHeaders

Comment on Enabling CSRF by Recent Links Tagged With "csrf" - JabberTags

Recent Links Tagged With "csrf" - JabberTags — Wed, 22 Oct 2008 15:19:10 +0000

[...] public links >> csrf Enabling CSRF Saved by schreber on Tue 21-10-2008 8-5-2008 Saved by kungfudude69 on Mon 20-10-2008 cPanal [...]

Comment on Enabling CSRF by kuza55

kuza55 — Sat, 03 May 2008 21:45:54 +0000

Ok, so I lied; that’s not all. CAPTCHAs are not good csrf solutions IMO because they’re easy to implement in a way that makes them CSRF-able.

Comment on Enabling CSRF by kuza55

kuza55 — Sat, 03 May 2008 21:42:33 +0000

IDS should die; that is all.

Comment on UserJS URL Sanitizing by Kyran

Kyran — Sat, 03 May 2008 15:22:14 +0000

I’ve sent you a quick e-mail regarding location.hash and my new thoughts on this.
And I know what browser.js is(and I love it!).

Comment on UserJS URL Sanitizing by Hallvord R. M. Steen

Hallvord R. M. Steen — Sat, 03 May 2008 10:48:28 +0000

Glad you like the User JS API
I have done something similar in browser.js (a “user script” all Opera installations run on all pages, providing various site-specific compatibility fixes) – protecting against the Acrobat Reader PDF javascript: URL exploit.

I don’t know how exactly one could make this generic enough to be worthwhile. Like, looking in location.search for code that looks like SQL injection or HTML?

BTW WordPress has taken some liberties with the code in the example

Comment on CSRF ramblings by Michael Coates

Michael Coates — Thu, 21 Feb 2008 15:35:42 +0000

Interesting thought with the Opera phone. I remember reading a article a few months back about a similar issue with Javascript able to auto dial Skype links within Mozilla. I can’t find the link at the moment.

It is interesting to watch the new types of vulnerabilities popping up as we bring more intelligence and capability to the phones. A pesky piece of malware has a much larger impact when it can make international phone calls and result in charges to someone’s bill

Comment on A thousand dollars and a fancy phone. by CSRF ramblings « RETURN $ecure;

CSRF ramblings « RETURN $ecure; — Tue, 19 Feb 2008 02:41:32 +0000

[...] 18th, 2008 I was reading over this post by Robert Hansen of SecTheory just after reading a post of mine about Opera phone integration. It got me to thinking, specifically this part. It will also have [...]

Comment on UserJS URL Sanitizing by Gareth Heyes

Gareth Heyes — Fri, 23 Nov 2007 13:24:27 +0000

Yeah Opera security does rock but I’d like this sort of functionality in Firefox.

Comment on UserJS URL Sanitizing by Kyran

Kyran — Thu, 22 Nov 2007 14:04:29 +0000

That’s one thing I forgot to mention! The methods of the opera object are not accessible from regular scripts! Plus you could use defineMagicFunction and BeforeScript to rewrite any code that tried to access the UserJS