Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
E
E
el7772011-04-05 23:05:10
User identification
el777, 2011-04-05 23:05:10

Prevent password theft through a picture on another site

Colleagues, tell me how you can protect yourself from such a user attack:
A picture from your site is inserted into a blog on a 2.0 site. After a while, the picture is closed by http-authorization. As a result, a user who comes to read this blog post will have an authorization window in which he will happily enter a password. Okay, you can't catch a geek like that, but most users will.

I see the following options:
- prohibit external images - bad
- make the authorization form on the site in a very different design so that the user does not get confused
- add the onerror="return false" attribute to each image of the external site - the question is when it will be called - on the first 401 or after 3 failed attempts
- preloading all images in JS with verification and only after that showing - an example on prototype

What do you advise? What if JS doesn't work?

UPD from the comments: you can cache pictures at home, then they will definitely be good. But: traffic, copyright.

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

6 answer(s)
Report
M
MT, 2011-04-06
@MTonly

- Educate site users by displaying an informative warning next to the login form.
- Lobby among browser developers for the idea of ​​disabling by default the display of HTTP authorization dialogs related not to the page itself, but to embedded resources.

Report
E
el777, 2011-04-05
@el777

This is how you can avoid the hole www.daveoncode.com/2010/08/20/image-background-fallback-img-tag-error-handlers/

Report
E
el777, 2011-04-06
@el777

While I see such a solution - make a preloader based on an example, and in all pictures write something like this
[img src="javascript: load('http://evil-host/world-evil.png')" /] and in this function upload the image and put it in the right place. Yes, don't forget to remove lowsrc from the attributes. I hope everyone remembers him. :)

Report
C
ComodoHacker, 2011-04-06
@ComodoHacker

list of allowed hostings with regular validation of their urls.
cons:
maybe true

Report
C
ComodoHacker, 2011-04-06
@ComodoHacker

Sorry.
List of allowed hostings with regular validation of their urls.
disadvantages:
- you need to follow the updates
- hosting can break
- users may not like the restriction

Report
D
DarkRIP, 2011-04-06
@DarkRIP

Alternatively, you can download the picture not immediately, but after contacting this address from the server, while analyzing the response code, but not downloading the content itself. I'm not really sure how technically this can be implemented, and whether it is possible at all.

Similar questions
N
NI2017-12-15 03:52:11
Previously, mailing lists with publications came from Habrahabr and Geektimes, now they don’t. Where are these settings? 1Reply
R
RalfiBB2020-02-18 17:37:24
How to correctly execute Servlet Logout? 0Reply
S
sex_chocolate2020-02-18 21:25:09
How to identify a computer by TCP/IP traffic? 0Reply
A
andrey_levushkin2020-02-25 16:36:38
How to get a token for a request when authorizing on a site? 0Reply
R
RoflanDaniil2017-10-11 16:39:15
How to do authentication in Node.js without passport.js? 1Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question