[cap-talk] Webkeys vs. the web

Tyler Close tyler.close at gmail.com
Mon Mar 23 00:42:43 EDT 2009


On Sun, Mar 22, 2009 at 3:15 PM, Chip Morningstar <chip at fudco.com> wrote:
> Approach #2 is to have every page in this system include a "powerbox module"
> and use a session cookie so that when I load the powerbox module, the backend
> populates it with my stuff but when you load it it populates it with your
> stuff.  The session cookie in this scenario ends up being, in essence, a webkey
> that is held in a cookie (and handed around like a cookie), which makes me very
> queasy.

If you augment a shared page with private information, you make the
user vulnerable to clickjacking. The attacker, knowing the URL of the
shared page, directs an invisible frame to that page. The attacker
then tempts the user to click at the screen coordinates where the
private functionality will be added.

I suggest you make an account-like object that keeps track of all the
user's resources. When the user joins the application, they bookmark
their account object. This is the only bookmark they ever have to
create. All other pages can be found by navigating from their account
object. If you are worried about getting at the resource from a new
browser, you could implement a logon interface, or email the URL, etc.

--Tyler


More information about the cap-talk mailing list