Page MenuHomePhabricator

Return to previous page after exiting high security mode
Open, Needs TriagePublic

Description

Exiting high security mode takes the user to /auth/session/downgrade/ where they click "Continue" and are then taken to /settings/user/{username}/page/sessions/.

I think a better workflow would be to return the user to whatever page they were on when they clicked the "Your session is in high security mode" notice:

pasted_file (85×322 px, 9 KB)

Event Timeline

Some possible implementations of this expose an open redirect (e.g., by passing returnURI=<something> where <something> can be anything). An open redirect here isn't necessarily inherently dangerous, but the minor inconvenience we'd avoid probably isn't worth the security risk.

(With Phurl, I think local redirects are now less safe than they once were and approximately as powerful as remote redirects; it's possible we may want to lock down next on login at some point.)

We could sign the returnURI with a session-specific secret and redirect only in the presence of a valid signature, although this is complex.

We can probably make this particular bubble use workflow so the dialog pops up on the same page, then have the server issue a ReloadResponse. This is probably the best solution, but requires JS.

Approximate implementation is:

  • Get the workflow sigil onto the bubble, maybe with JX.Stratcom.addSigil(...) in the bubble rendering bit.
  • Things maybe just work from there, as if by magic?
  • Or maybe the click handler needs to know to invoke JX.Workflow some of the time.