Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

hm, how can XSS on subdomain: "steal the session, preform a DoS using the size of the cookie"


>The solution is forced TLS with HSTS and includeSubdomains.

that's true. Few questions: 1) does django provide HSTS header by default? didn't find it in codebase 2) does django has includeSubdomains? bitbucket doesn't have it 3) it is still vulnerable to subdomain-XSS tossing.

taking into account all possible ways to replace the token I think it's django's duty to couple it with session (whatever it is in django) by default. What do you think, should it stay semi manual?


1) Not currently (and it's unlikely to be able to do so) there's an addon to add it which has been talked about getting it into core. I do believe it's documented to use HSTS and TLS if you want your site secured and recommends the ddon.

2) The above addon does have it. I have no idea what bitbucket does.

3) Not sure I understand what this means, you mean if there is a valid XSS on a subdomain?

Decoupling CSRF and Sessions has been a requirement for us for awhile now. We've spoken a little bit about optionally coupling them where if you have the session framework enabled it will couple them but if you don't it falls back on the current method.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: