You are here:
BACCHUS Wiki
>
System Web
>
FAQWhyYouAreAskedToConfirm
(revision 1) (raw view)
---+ %MAKETEXT{"Why am I being asked to confirm?"}% %MAKETEXT{"This page explains one of the security measures that Foswiki, the software that runs this site, performs to secure this site from attackers."}% <sticky><div class="why"> <div id="expl1"><p class="expl">%MAKETEXT{"Foswiki checks all requests it receives from browsers, and tries to check that the persons using the browsers intentionally sent them."}%</p></div> <div id="expl2"><p class="expl">%MAKETEXT{"An evil person may try to use your login identity to change content in your wiki without your knowledge."}%</p><p class="expl">%MAKETEXT{"The attacker tries to use your rights to get things, like admin rights for the site."}%</p><p class="expl">%MAKETEXT{"This is also known as Cross-site Request Forgery, or CSRF."}%</p></div> <div id="scenario1"><p class="scenario">%MAKETEXT{"In a possible scenario, an evil person has left a link to seduce you to visit a page on http<nop>://crime.org, which has some clever javascript on it."}%</p></div> <div id="scenario2"><p class="scenario">%MAKETEXT{"Their intention is to automatically save compromising data by sending a request to your server, using your browser and your identity."}%</p></div> <div id="expl3"><p class="expl">%MAKETEXT{"If Foswiki detects a suspicious request that may have been sent from such a page, then you are asked to confirm the request."}%</p></div> <div id="expl4"><p class="expl">%MAKETEXT{"The checks performed by Foswiki can sometimes be triggered when you do something perfectly innocent, for instance if you click the Back button after saving a page. Foswiki then uses the approach \"better safe than sorry\"."}%</p></div> <p class="you" id="you1">%INCLUDE{"%BASETOPIC%" section="you"}%</p> <p class="webserver" id="webserver1">%INCLUDE{"%BASETOPIC%" section="webserver"}%</p> <p class="balloon" id="balloon1">%MAKETEXT{"Who is requesting this, actually?"}%</p> <p class="you" id="you2">%INCLUDE{"%BASETOPIC%" section="you"}%</p> <p class="evil">%MAKETEXT{"Evil person"}%</p> <p class="webserver" id="webserver2">%INCLUDE{"%BASETOPIC%" section="webserver"}%</p> <p class="balloon" id="balloon2">%MAKETEXT{"Not sure this is right, please confirm!"}%</p> <p class="dialog" id="dialog1">%INCLUDE{"%BASETOPIC%" section="dialog"}%</p> <p class="button" id="button1">%INCLUDE{"%BASETOPIC%" section="ok"}%</p> <p class="button" id="button2">%INCLUDE{"%BASETOPIC%" section="cancel"}%</p> <p class="balloon" id="balloon3">%MAKETEXT{"Ah, no!"}%</p> <p class="balloon" id="balloon4">%MAKETEXT{"Ehm, let me go back to correct the page..."}%</p> <p class="webserver" id="webserver3">%INCLUDE{"%BASETOPIC%" section="webserver"}%</p> <p class="dialog" id="dialog2">%INCLUDE{"%BASETOPIC%" section="dialog"}%</p> <p class="button" id="button3">%INCLUDE{"%BASETOPIC%" section="ok"}%</p> <p class="button" id="button4">%INCLUDE{"%BASETOPIC%" section="cancel"}%</p> <p class="balloon" id="balloon5">%MAKETEXT{"OK, this is still me!"}%</p> <p class="note" id="note1">%MAKETEXT{"Note: you must have Cookies and Javascript enabled in your browser to get past this screen. This is normally the case, but if something doesn't work, this is where to look first."}%</p> </div> </sticky> %MAKETEXT{"For more detailed information on cross-site request forgery, and the dangers it poses to you, see [[[_1]][the Cross-site request forgery article on Wikipedia]]." args="http://en.wikipedia.org/wiki/Cross-site_request_forgery"}% %MAKETEXT{"Wiki administrators should read about the [_1]." args="Foswiki:SecurityFeatures"}% <!-- %STARTSECTION{"you"}%%MAKETEXT{"You"}%%ENDSECTION{"you"}% %STARTSECTION{"ok"}%%MAKETEXT{"OK"}%%ENDSECTION{"ok"}% %STARTSECTION{"cancel"}%%MAKETEXT{"Cancel"}%%ENDSECTION{"cancel"}% %STARTSECTION{"webserver"}%%MAKETEXT{"Webserver <em>running Foswiki</em>"}%%ENDSECTION{"webserver"}% %STARTSECTION{"dialog"}%%MAKETEXT{"<strong>Confirmation required!</strong> Press OK to confirm this change was intentional<br />Press Cancel otherwise"}%%ENDSECTION{"dialog"}% --> %ADDTOZONE{"head" id="FAQWhyYouAreAskedToConfirm" text="<style type=\"text/css\" media=\"all\"> #expl1 { position:absolute; left:17px; top:23px; } #you1 { position:absolute; left:307px; top:130px; } #webserver1 { position:absolute; left:316px; top:250px; } #balloon1 { position:absolute; width:156px; left:616px; top:246px; } #expl2 { position:absolute; left:17px; top:381px; } #you2 { position:absolute; left:307px; top:485px; } #scenario1 { position:absolute; left:400px; top:545px; width:380px; } #scenario2 { position:absolute; left:579px; top:645px; width:200px; } #balloon2 { position:absolute; width:156px; left:616px; top:822px; } #expl3 { position:absolute; left:17px; top:831px; } #webserver2 { position:absolute; left:316px; top:831px; } #dialog1 { position:absolute; left:441px; top:986px; } #button1 { position:absolute; left:441px; top:1064px; } #button2 { position:absolute; left:514px; top:1064px; } #balloon3 { position:absolute; width:134px; left:249px; top:1050px; font-size:150%; color:#cd0404; } #expl4 { position:absolute; left:17px; top:1175px; } #balloon4 { position:absolute; width:192px; left:336px; top:1204px; } #webserver3 { position:absolute; left:444px; top:1339px; } #dialog2 { position:absolute; left:441px; top:1492px; } #button3 { position:absolute; left:441px; top:1569px; } #button4 { position:absolute; left:514px; top:1569px; } #balloon5 { position:absolute; width:196px; left:188px; top:1558px; font-size:130%; color:#00800c; } #note1 { position:absolute; width:320px; left:441px; top:1630px; } #scenario1 p { color:#cd0404; } .why { position:relative; width:800px; height:1808px; margin:1em 0; border-top:2px solid #6e7b97; border-bottom:2px solid #6e7b97; background-color:#fff; background-image:url(%PUBURLPATH%/%BASEWEB%/%BASETOPIC%/WhyYouAreAskedToConfirm.jpg); background-repeat:no-repeat; font-style:arial,sans-serif; font-size:15px; line-height:150%; } .why p { margin:0 0 1em 0; padding:0; color:#4c5d88; } .why span { display:block; padding:0 0 1em 0; } .why .expl { font-size:120%; width:225px; } .why .you { font-size:120%; width:75px; text-align:center; color:#000; } .why .evil { font-size:70%; width:60px; text-align:center; color:#cd0404; position:absolute; top:585px; left:312px; } .why .webserver { font-size:120%; color:#45474d; text-align:center; width:309px; padding-top:15px; line-height:100%; } .why .webserver em { font-size:80%; display:block; font-style:normal; } .why .balloon { color:#555; font-size:14px; line-height:120%; } .why .scenario { font-size:110%; } .why .dialog { color:#444; width:322px; line-height:120%; font-size:90%; } .why .dialog strong { font-size:115%; line-height:150%; display:block; } .why .button { width:63px; font-size:13px; color:#555; text-align:center; } .why .note { color:#888; line-height:120%; } </style>"}%
E
dit
|
A
ttach
|
P
rint version
|
H
istory
: r1
|
B
acklinks
|
V
iew topic
|
Edit
w
iki text
|
M
ore topic actions
Topic revision: r1 - 19 Sep 2010,
ProjectContributor
System
Log In
Toolbox
Users
Groups
Index
Search
Changes
Notifications
RSS Feed
Statistics
Preferences
User Reference
BeginnersStartHere
TextFormattingRules
Macros
FormattedSearch
QuerySearch
DocumentGraphics
SkinBrowser
InstalledPlugins
Admin Maintenance
Reference Manual
AdminToolsCategory
InterWikis
ManagingWebs
SiteTools
DefaultPreferences
WebPreferences
Categories
Admin Documentation
Admin Tools
Developer Doc
User Documentation
User Tools
Copyright &© by the contributing authors. All material on this site is the property of the contributing authors.
Ideas, requests, problems regarding BACCHUS Wiki?
Send feedback