SitePoint Sponsor

User Tag List

Page 2 of 2 FirstFirst 12
Results 26 to 35 of 35
  1. #26
    SitePoint Wizard TheRedDevil's Avatar
    Join Date
    Sep 2004
    Location
    Norway
    Posts
    1,198
    Mentioned
    4 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by Kevin Yank View Post
    Hi all,

    I am the author of the book in question.

    It is true that few if any browsers will prefetch hyperlinks out-of-the-box, but some “web accelerator” software will do this. A few years back, Google’s initial release of Google Web Accelerator wreaked havoc on many sites that used action links. I will admit that situations like this are relatively rare, however; browser makers have learned to assume that web developers will use action links, even though they shouldn’t.

    In practice, the biggest reason to avoid action links is because they are vulnerable to Cross-Site Request Forgeries (CSRFs). A CSRF is a malicious attack that works on the same principle as the link-prefetching problem described in the book.
    I must say that I am slightly confused on what exactly it is your advising.

    As I understand it your advice is to use POST requests instead. With other words instead of a delete "link" beside the object (image, user account etc) you would use a form submit button?

    Or are you talking about having a confirmation page, where there would be a form where the user would need to confirm the action they tried to do? (In this case delete the object).

    If its the last one, then I would agree.

    Quote Originally Posted by e39m5 View Post
    Has anyone thought of a way to prevent CSRFs for PHP developers? The only method coming to my mind is checking referrers, either through scripting or .htaccess (kind of a twist on the way image theft is prevented).

    Out of interest, are .NET developers immune to these kinds of attacks? I often hear .NET referred to as a bulletproof form validation, but does that include CSRFs?
    All languages are vulnerable to these kinds of attacks. Its all about development, you can do the same mistakes in all languages.

    For referrer, well a good tip would be to just forget that exist. You wont be able to do anything else with that value other than to log it. It is a value passed along by the user, hence it is not trustworthy.

  2. #27
    ¨.¨ shoooo... silver trophy logic_earth's Avatar
    Join Date
    Oct 2005
    Location
    CA
    Posts
    9,013
    Mentioned
    8 Post(s)
    Tagged
    0 Thread(s)
    For preventing or miitigating CSRFs you can require a time limited token for every request that matches up to one's current session. This token must change and be different for every avalible request.
    Logic without the fatal effects.
    All code snippets are licensed under WTFPL.


  3. #28
    Non-Member
    Join Date
    Oct 2009
    Posts
    1,852
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    TheRedDevil. He is talking about first one and he is absolutely right.
    Your confirmation way is just option for this. Link does nothing but directs to confirmation (action) page. With POST form. Same at end.
    If one don't want confirmation - they skip link stage, so here is the POST form button already.

  4. #29
    SitePoint Zealot
    Join Date
    May 2004
    Location
    uk
    Posts
    151
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Can you substitute a submit button with a text link in a form?

  5. #30
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, NSW, Australia
    Posts
    16,868
    Mentioned
    25 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by doolally View Post
    Can you substitute a submit button with a text link in a form?
    Only if the browser has JavaScript enabled so that the script can submit the form. Without JavaScript you need a submit button or image in order to be able to POST an update request to the server.

    With JavaScript enabled you don't even need a form since JavaScript can POST an update request directly via Ajax or can create and post a form dynamically.

    You can't rely on everyone having JavaScript though and for those who don't you need a submit button or image to POST update requests.
    Stephen J Chapman

    javascriptexample.net, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">

  6. #31
    SitePoint Wizard Stomme poes's Avatar
    Join Date
    Aug 2007
    Location
    Netherlands
    Posts
    10,283
    Mentioned
    51 Post(s)
    Tagged
    2 Thread(s)
    Does anybody know of a browser that really does that?
    My bane, FasterFox, who funnily enough is slower because it wastes yours, mine, and server's time asking for URLs the visitor may never want to visit anyway.

    We use anchors to choose language. Not something that should be done with POST as you can think of the "language-x version" as a separate page, but people with FasterFox found themselves always getting our pages in Portuguese, the last language link in the list.

    Also, JAWS for some reason latched on the lang attribute of the anchor and continued trying to speak Dutch in a Portuguese pronounciation, which was kinda funny and reall sad (it's a bug as the attribute should only set the lang for that element alone, esp if the rest of the page has its own lang set on the html element, but eh).

    It sure would be nice (I think) if all 4 HTTP requests worked... or at least PUT. Then we could choose when a whole POST is needed and when users could just PUT some extras onto an existing datum. If I understood what I read correctly. And if DELETE worked, POST wouldn't be used to delete anything.

  7. #32
    Mouse catcher silver trophy Stevie D's Avatar
    Join Date
    Mar 2006
    Location
    Yorkshire, UK
    Posts
    5,892
    Mentioned
    123 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by douglerner View Post
    The author says never to use links to perform actions - just use them for their intended purpose, which is to go to related content.

    For example, he says you should never have "delete this" links on a page. Instead you should use form submissions for such actions.

    The reason, the author says, is because some modern browsers will automatically follow hyperlinks present on a page in the background so the target pages will be ready for immediate display if clicked. Thus you may end up having some of your coded actions occurring even if the user never actually clicks on them!
    There are several issues here.

    If a link performs a reversible or non-critical action then you're probably OK, bearing in mind the usual caveats around accessibility and usability of Javascript links. The sort of thing I'm thinking of here would be, eg, re-sorting a table or changing a display preference. While these are technically actions, they will only affect the current user and can be undone, so there is no possibility of undesired effects.

    If you have an irreversible and critical action, you should look at having a considerably more secure process. Even if it is behind a secure log-in, so that spiders and bots can't try to follow the links, and even if the only people who access the site use browsers that don't pre-fetch links, you're still setting yourself up for a fall if you allow these changes to be made by following a single link with no verification or confirmation required. The link should activate a lightbox or dialog box requiring a further click to confirm the action, or some other mechanism. After all - how often have you accidentally clicked on a link that you didn't mean to click on? It happens a lot! Normally it isn't a problem, you just hit "Back" and go back to where you were. But if you've irretrievably deleted something from the server with that one click, you've left yourself no way back, and that is dangerous.

  8. #33
    SitePoint Zealot
    Join Date
    May 2004
    Location
    uk
    Posts
    151
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks felgall,

    I would have preferred to use a text link instead of a button or image for the look. I think when I'm in this situation, I'll use an extra page with a form to confirm a delete.

  9. #34
    SitePoint Member
    Join Date
    Oct 2009
    Posts
    2
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    This never happened to me and I donít see any either. I mean putting an anchor text is safe. Also I think it is just a respect to other of respecting each of our posts.

  10. #35
    SitePoint Wizard Stomme poes's Avatar
    Join Date
    Aug 2007
    Location
    Netherlands
    Posts
    10,283
    Mentioned
    51 Post(s)
    Tagged
    2 Thread(s)
    I would have preferred to use a text link instead of a button or image for the look.
    The look? Now you're talking CSS, so no reason not to use a real button when you must/should use a button.


Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •