Malicious Links

Oliver Simmons oliversimmo at gmail.com
Fri Jul 16 11:45:43 BST 2021


On Fri, 16 Jul 2021 at 09:55, nervuri <nervuri at disroot.org> wrote:
>
>   Before following a URI which is in scope of a client certificate from
>   a URI outside of that scope, clients MUST/SHOULD display the target
>   URI and what client certificate would be used to connect to it.
>
>   Doing this will help protect against Cross-Site Request Forgery
>   (CSRF). It applies to:
>     * following a link on a page
>     * going through one or more redirects
>

How about the following?

"A client MUST NOT make a request to a URI in the scope of a client
certificate outside the current scope, unless the user explicitly
allows the request. The client SHOULD present the full target URI to
the user."

This solves some of the issues with 'display' and makes the part about
user control more clear IMO.

Maybe it would be good to mention it's ok to make the request without
the client cert?

--
-Oliver Simmons (GoodClover)


More information about the Gemini mailing list