Please sign in to comment.
Start adding credentials to media embed iframe URLs.
By knowing the ID36 of a link, it is possible to see its media embed because the embed request is served off-domain and as a result can't verify the user's cookie. To fix this, we add an authentication code to the iframe URL for media embeds and require its presence for all embeds in private subreddits. This starts appending credentials to private subreddit embeds such that when the latter half of the fix is deployed all apps are already generating appropriate embed URLs. This is part of a fix for an information disclosure vulnerability reported by Jordan Milne (/u/largenocream).
- Loading branch information...
Showing with 21 additions and 4 deletions.