- π«π·France prudloff Lille
We could use the Clear-Site-Data header on logout responses.
I think I remember seeing an issue about this header but I can't find it.
In D8, we used HTML5 localStorage everywhere. One of example is Toolbar module. It saved the reusable toolbar HTML code for next calls.
Attackers able to inject malicious data into localStorage for next login users (who will use the same devices.)
You can see this by:
====================
** WITH SAME DEVICES ONLY **
A:
1. [ATTACKERS]: Open Console and inject:
localStorage.setItem('Drupal.toolbar.subtrees.bartik', '{"system-admin_content":"
alert(1)","help-main":""}');
localStorage.setItem('Drupal.toolbar.trayVerticalLocked', true)
2. [USER]: Login
3. [USER B]: Login
B:
1. User A login, switch to Vertical Toolbar.
2. User A logout.
3. [ATTACKERS]: Open Console and localStorage.getItem
Proposed resolution:
============
Toolbar Module:
- To encode hash with user token in _toolbar_get_subtrees_hash.
CORE:
- Clean up localStorage (also sessionStorage) during login & logout
- Switch all localStorage for HTML to sessionStorage
Note: sessionStorage is not shared with Tabs
Reported by droplet β
Active
11.0 π₯
toolbar.module
It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.
Not all content is available!
It's likely this issue predates Contrib.social: some issue and comment data are missing.
We could use the Clear-Site-Data header on logout responses.
I think I remember seeing an issue about this header but I can't find it.