-
-
Notifications
You must be signed in to change notification settings - Fork 207
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Prevent 401 phishing attacks #504
Comments
Maybe we should also prevent use of SVG images.
|
Nice find. :-) What solution would you recommend? The only effective one I can think of is to proxy all images. That's pretty much #202. |
Note that Firefox does show a warning:
Screenshot: |
Can't we tell the browser not to show the prompt through CSP or a similar mechanism? Why do browsers even show a prompt in this case? What legitimate use-case is there for this? |
This is the authentication mechanism for the HTTP Basic Authentication Protocol: http://blog.stevensanderson.com/2008/08/25/using-the-browsers-native-login-prompt/ |
I know what it is, but I see no reason to allow it for images. ;-) |
Oh, sorry. There isn't really a legitimate use of this mechanism in images. For some reason, developers are not interested in fixing this issue. The only real solution is to proxy all images as suggested in #202. |
Do you have links to the relevant tickets in the bug trackers of browsers? |
https://bugs.chromium.org/p/chromium/issues/detail?id=21628
I will look into this. There is a discussion concerning a CSP implementation here: https://www.w3.org/2011/webappsec/track/issues/68 |
Looks like it's not considered in scope for CSP (quote from your link: "it doesn't belong in CSP"), and since there is no spec saying that it shouldn't be allowed the behavior of browsers hasn't been changed. |
Yep, I am with you on that. :) |
The new |
Relevant article: GitHub’s post-CSP journey. |
camo: an http proxy to route images through SSL (GitHub's image proxy). |
Cloudflare workers seem like the best way to fix this. It would cost $5 per month. |
It looks like this issue has been fixed in browsers, I can't reproduce it anymore in Firefox (76.0.1) and Chromium (83.0.4103.61). |
The following markdown image should prompt you with an authentication dialog:
This can be used for 401 phishing attacks, where the credentials are sent to an attackers' server.
The text was updated successfully, but these errors were encountered: