Menu
▾
▴
Re: [SM-DEVEL] Re: ALERT: Google Web Accelerator is Lethal to SM Users
|
From: Jonathan A. <jo...@sq...> - 2006-03-07 16:56:26
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Daniel, On Tuesday, March 07, 2006, Daniel wrote: >>> Google web accelerator : http://webaccelerator.google.com/ >>> Almost guaranteed to make it onto thousands of user's browsers. >>> It's already had problems with prefetching links. Eg it'll >>> prefetch the "delete" link and there goes your email. >> Nice... Very handy to know. >>> This is how Ruby does it: I have *NO* idea what it does but it works >>> apparently. I imagine php much have an equivalent: >>> http://david.backpackit.com/pub/37983 >> It's basically reading a header from the "browser" and acting on that >> header. This can be duplicated in PHP... >> >> if ($_SERVER['HTTP_X_MOZ'] == 'prefetch') { >> header('HTTP/1.0 403 Forbidden'); >> die; >> } >> >> Or something similar to that. It might be one of those things that >> might be a little while in coming, like if Marc commits his init code, >> as that'd be an ideal handle point. > In the absence of a central init.php script where could i put this > code? Still - I dont know if this would stop the reported mouseover > problem. I have been thinking about this, and it shouldn't be an issue with SquirrelMail at all. squirrelMail requires two things before it'll let you login. The user and pass. The username is then stored in a session, and the password is encrypted, and stored in a cookie. The session ID is then sent back to the browser as a cookie, along with a cookie called "key" (the encrypted password). Every page request requires both the session cookie, and the key cookie. If neither exist, then the pages are just simply going to give you the classic "you must be logged in" page. With that being said, if it /does/ work, Google are possibly opening themselves up to law suites for the theft of information as they'd have to take the session cookie, and the key cookie, and then use that information to send to the next page. That is assuming I've understood how the prefetch stuff works. From the fact that people are putting in blocks to certain IP addresses, it suggests google's servers are doing the "prefetch" rather than your client/computer. I'll have to do a little more research. On a side note, I generally agree with Tomas in the fact that google shouldn't be releasing broken software, and if they are, the issue should be addressed with them. I really dislike hacks around issues that we shouldn't have to do. It also leads into the realm that allows people to get away with whatever they want and everybody will bend to accommodate their "modifications" to suite their wishes. Something which we shouldn't have to do, no matter how large the gorilla is. Rules, specifications, RFCs, etc, were all defined to protect the sharing of information between resources in a standard fashion. They're there for a reason. - -- Jonathan Angliss <jo...@sq...> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (MingW32) iD8DBQFEDbsdK4PoFPj9H3MRAhuCAKDEKpjdnJrQq4x2MQ7/1sqQn9QULgCdFAry 36kw+RZP0tUiRuHvpbTeF+E= =hJHp -----END PGP SIGNATURE----- |