On Thu, Apr 30, 2015 at 8:52 AM, martijn.list martijn.list@gmail.com wrote:
Hi,
Enabling use_secure_urls has some side effects which I'm looking at how to solve.
For example, a user might have defined a bookmark to the RC login page (www.example.com/webmail/). This works find just as long as the user is not yet logged in. However if the user is already logged in and the user wants to check whether there is any new mail and therefore clicks the bookmark, an error page with "Access to this service was denied due to failing security checks!" is shown. The user should then click the "click here to try again" link which will redo the request but now with the correct token in the URL. Since the GET request is redone but now with the correct token added, to me it looks like checking the URL token for GET requests will not bring additional security because if the user clicks the "click here to try again" link, the request will be done anyway.
That's exactly the point: the user has to CLICK the link -> human interaction required.
The random hash in the webmail URL is supposed to protect from CSRF or click-jacking attacks by making it harder for an attacker to guess the URL for the actual actions on the webmail application with a possibly active session. Roundcube already has proper protection for POST and Ajax requests. The unique-per-session urls add the missing piece for GET requests.
Is it possible to disable the secure URL check for certain pages and/or requests? Perhaps with a plugin? or is it all or nothing?
No it isn't, it's literally all or nothing. But what "certain pages" would you then like to exclude? Once you allow one, you loose protection against click-jacking.
~Thomas