Re: [dev] [surf] adblocking

From: Sam Watkins <sam_AT_nipl.net>
Date: Wed, 21 Nov 2012 15:30:42 +1100

On 11-20 08:08, Andrew Hills wrote:
> Would it be possible to disable requests made by the page to any
> address outside the page's domain?

This is a worthwhile option for the browser.

It can block many ads, and also block cross-site request forgery exploits.

CSRF exploits take advantage of a major security hole in HTTP /
web browser implementation, and can sometimes work without scripting -
a static page can damage intranet / local web services using just a whole lot
of img tags or similar, such as <img src="192.168.1.1/delete_stuff?id=1234">.
Home routers are vulnerable to these attacks, leads to DNS poisoning, etc.

A page with javascript can also make post requests to local services,
I guess this works even in surf.

I posted about CSRF, sanity level may vary:

http://sswam.com/2012/03/16/not-secure-will-fail-how-to-stop-csrf-cross-site-request-forgery/
http://sswam.com/2012/03/21/not-secure-will-fail-how-to-stop-csrf-cross-site-request-forgery-tldr-edition/

(and yes, I know I am using sucky blog software.)
Received on Wed Nov 21 2012 - 05:30:42 CET

This archive was generated by hypermail 2.3.0 : Wed Nov 21 2012 - 05:36:04 CET