On 04/30/2015 11:54 AM, Thomas Bruederli wrote:
On Thu, Apr 30, 2015 at 8:52 AM, martijn.list martijn.list@gmail.com wrote:
Hi,
Enabling use_secure_urls has some side effects which I'm looking at how to solve.
For example, a user might have defined a bookmark to the RC login page (www.example.com/webmail/). This works find just as long as the user is not yet logged in. However if the user is already logged in and the user wants to check whether there is any new mail and therefore clicks the bookmark, an error page with "Access to this service was denied due to failing security checks!" is shown. The user should then click the "click here to try again" link which will redo the request but now with the correct token in the URL. Since the GET request is redone but now with the correct token added, to me it looks like checking the URL token for GET requests will not bring additional security because if the user clicks the "click here to try again" link, the request will be done anyway.
That's exactly the point: the user has to CLICK the link -> human interaction required.
I understand the concept although in practice I think most users would just click the link without understanding the implications. Anyway, it was not criticism from my side just a note.
The random hash in the webmail URL is supposed to protect from CSRF or click-jacking attacks by making it harder for an attacker to guess the URL for the actual actions on the webmail application with a possibly active session. Roundcube already has proper protection for POST and Ajax requests. The unique-per-session urls add the missing piece for GET requests.
Is it possible to disable the secure URL check for certain pages and/or requests? Perhaps with a plugin? or is it all or nothing?
No it isn't, it's literally all or nothing. But what "certain pages" would you then like to exclude? Once you allow one, you loose protection against click-jacking.
If the secure URLs are enabled, the user can no longer open the webmail page using a general bookmark if the user is already logged-in. You might argue that if the user is already logged-in that the webmail is already open in some page but when you have a lot of open pages you might have forgotten that you already opened a page somewhere. If the user now clicks the bookmark, the failing security checks error message is shown. Is that a shop stopper? no but can be annoying for users who do not understand what it actually means.
Kind regards,
Martijn