Closed
Bug 1461951
Opened 6 years ago
Closed 5 years ago
PushManager.subscribe() csrf missing from all examples.
Categories
(Developer Documentation Graveyard :: API: Web Workers, defect, P1)
Developer Documentation Graveyard
API: Web Workers
Tracking
(Not tracked)
RESOLVED
INCOMPLETE
People
(Reporter: janklopper, Assigned: ismith, NeedInfo)
Details
User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0 Build ID: 20180509235650 Steps to reproduce: Looking through the MDN examples on PushManager subscriptions it became apparent that none of the examples warn users about XSRF / CSRF issues when using this api's resulting 'subcribtion' url. Actual results: We implemented the example code and realized we could inject an attackers notification url into someone else's account stealing notifications and content from their account in real time. Since only the server knows about this fake Expected results: We would like to see the examples warn users about implementing csrf protection in their implementation to make sure no private data is being stolen from users who unknowingly activated a notfitication for an attacker on their account.
|
||
Updated•6 years ago
|
Group: websites-security
|
|
||
Comment 1•6 years ago
|
||
Removed the websites-security group as this bug is not something we need to restrict access to.
|
||
Updated•6 years ago
|
Priority: -- → P1
|
|
||
Updated•6 years ago
|
Assignee: nobody → ismith
|
||
Comment 2•6 years ago
|
||
Since I have no ability to edit the examples in the PushManager cookbook, I have added a warning with a link to useful web articles to the top of the section: https://developer.mozilla.org/en-US/docs/Web/API/Push_API
Flags: needinfo?(janklopper)
|
Reporter | |
Comment 3•6 years ago
|
||
Irene, Thanks, I think that the warning does help a lot. However seeing that most devs simply copy/paste example code like this (just look for snippets of this on github for example), you can see that most people don't take the time to implement any xsrf protection of their own. What other information would you need from me?
|
||
Comment 4•6 years ago
|
||
(In reply to jan klopper from comment #3) > Irene, Thanks, I think that the warning does help a lot. However seeing that > most devs simply copy/paste example code like this (just look for snippets > of this on github for example), you can see that most people don't take the > time to implement any xsrf protection of their own. What other information > would you need from me? Hi Jan, Would you be able to provide us with some kind of reduced example showing what needs to be done, for us to add?
|
|
||
Comment 5•5 years ago
|
||
Closing this issue, as the actual work is being tracked at https://github.com/mdn/sprints/issues/986
Status: UNCONFIRMED → RESOLVED
Closed: 5 years ago
Resolution: --- → INCOMPLETE
You need to log in
before you can comment on or make changes to this bug.
Description
•