Dear Rails enthusiants,
I'm currently developing a web app that allows each user to modify his page, using any HTML and any JavaScript. Sure, they can mess up their own page, but what I worry is cross-site scripting vulnerabilities, especially cookie replay/session hijacking.
What I worry is that if a user creates a page and fetches the current cookie, and save it somewhere else. The user who visits the page doesn't know about that.
I wonder what's the solution for this. Thank you in advance.
Oomph, I'm not considering subdomains yet, too complicated.
I'm not planning to limit JavaScript, but more like designing which security works best so that JavaScript can't take advantage of it (so, it's more the server-side).
Maybe using HTTP authentication? But this way, cookie/session doesn't work. Maybe HTTP auth + cookie? (so that cookie itself doesn't count as "legit" session).
I'm also considering associating an IP address with a session, but I understand that some people have rotated proxies and a group of people even surf with the same IP. So I don't think it's a good solution.
Keep up to date with Rails on Twitter and This Week in Rails
Policies: Conduct, License, Maintenance, Security, Trademarks