Hacker News new | past | comments | ask | show | jobs | submit login

Actually some subset of this functionality is possible with static or semi-static pages but actually the problem is not so much about a page being static or dynamic but about being read-only vs getting user input. As soon as you need to deal with user input, there are inherent security issues.

You can go around these by having some presets in the profile and providing cached results for the most common search types but this is more or less as far as you can go.




This is incorrect, any request made by a browser to a backend will by definition accept user input whether it wants to or not.

I can change the values of the presets I can add headers, remove headers change the value of cookies, add cookies, remove cookies etc etc.


Strictly speaking, you are correct. But in this case dealing with user input such as headers and their modifications is the responsibility of the server just like dealing with potentially malformed HTTP replies is the responsibility of the browser. What we are talking here though is the possibility of interaction with the remaining elements of the system (application, database). If these are read-only, the attacker loses these attack vectors.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: