[Owasp-leaders] twitter link on the owasp wiki

psiinon psiinon at gmail.com
Fri Dec 9 10:23:29 EST 2011


Just realised that the twitter example just includes the URL :)
Some of the others use the URL and also the page title.
Either look at the template code, hover over the links or actually click on
them.
None of them should do anything without another confirmation - all of the
social media sites linked to should handle CSRFs by now!
Let me know if you have any problems/suggestions/etc but I dont claim to be
a MediaWiki expect :)

Cheers,

Simon

On Fri, Dec 9, 2011 at 3:14 PM, psiinon <psiinon at gmail.com> wrote:

> If you apply the template to a page then the default message is the page
> name, which users can then change - see the attached example for twitter.
> Its just plain links, no javascript, no JSON, no external content:
> https://www.owasp.org/index.php?title=Template:Social_Media_Links&action=edit
> So I think we'll leak the referrer (unless disabled in the browser) but
> nothing else?
> Someone else please sanity check the template!
>
> Cheers,
>
> Simon
>
>
> On Fri, Dec 9, 2011 at 3:01 PM, John Wilander <john.wilander at owasp.org>wrote:
>
>> Fairly clean. I'm happier with this than the "paste this script".
>>
>> So, does it let users add a message to the tweet etc or do we have
>> pre-configured messages?
>>
>> And on the technical side, are we now hot linking to some integration
>> code? Are we doing JSONP? Are we leaking tracking info even when users are
>> not clicking any of the links? Just checking.
>>
>> /John
>>
>> --
>> My music http://www.johnwilander.com
>> Twitter https://twitter.com/johnwilander
>> CV or Résumé http://johnwilander.se
>>
>> 9 dec 2011 kl. 08:28 skrev Tom Brennan <tomb at owasp.org>:
>>
>> Looks really clean
>>
>> https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
>>
>>
>> On Dec 9, 2011, at 8:15 AM, psiinon <psiinon at gmail.com> wrote:
>>
>> OK, decided to apply money to mouth :)
>>
>> I've created a template: {{Social Media Links}} which I've shamelessly
>> ripped off from http://en.wikinews.org/wiki/Template:Social_bookmarks
>> and applied it to
>> https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
>>
>> What does everyone think??
>>
>> Cheers,
>>
>> Simon
>>
>> On Fri, Dec 9, 2011 at 11:10 AM, psiinon <psiinon at gmail.com> wrote:
>>
>>> "What are the gains?"
>>>
>>> Its just another way to get the OWASP message across.
>>> Security pros may know all about us, but I'm still finding developers
>>> who havnt heard of OWASP.
>>> I'm not saying that this is the one any only answer, but it might help a
>>> little bit.
>>> Anything that gets OWASP onto sites like reddit and Digg etc has got to
>>> be a good thing.
>>> As long as these links dont make the site insecure and dont piss people
>>> off then I think it would be worth doing.
>>> We could always knock up some manual links on a couple of trial pages
>>> and see if they make any difference?
>>>
>>> Cheers,
>>>
>>> Simon
>>>
>>>
>>> On Thu, Dec 8, 2011 at 7:30 PM, John Wilander <john.wilander at owasp.org>wrote:
>>>
>>>> So we're entering the era of mashups with various cross-origin hacks,
>>>> inlined JavaScript that fetches more JavaScript on the fly, and data
>>>> leakage to social networks and their customers. I encourage you to look
>>>> under the hood of these type of buttons. It's not a pretty sight IMHO.
>>>>
>>>> Eventbrite iframe seems fair. But apart from that, what are the gains?
>>>>
>>>> Are we talking of a static "Hey, check out OWASP" tweet link, many
>>>> static tweet links à la "Check out OWASP project X", or a tweet link with
>>>> dynamic content "Check out the next global OWASP event Y"? Who are we
>>>> hoping for to click? Do typical owasp.org visitors click such buttons?
>>>>
>>>> Please convince me :).
>>>>
>>>>    Regards, John
>>>>
>>>>
>>>>
>>>> 2011/12/6 OWASP Dutch Chapter <netherlands at owasp.org>
>>>>
>>>>> L.S.
>>>>>
>>>>> I have a similar question... I would like to be able to integrate an
>>>>> iFrame from EventBrite for our Chapter event registration.
>>>>>
>>>>> Ferdinand Vroom
>>>>> OWASP Netherlands Chapter
>>>>>
>>>>> 2011/12/6 Eoin <eoin.keary at owasp.org>
>>>>>
>>>>>>  It is technically possible to put a "tweet this" link on the OWASP
>>>>>> wiki pages?
>>>>>> Can we add it to page templates?
>>>>>>
>>>>>> Just a question?
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Eoin Keary
>>>>>> OWASP Global Board Member (Vice Chair)
>>>>>>
>>>>>> https://twitter.com/EoinKeary
>>>>>>
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> OWASP-Leaders mailing list
>>>>>> OWASP-Leaders at lists.owasp.org
>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> OWASP Dutch Chapter
>>>>> Ferdinand Vroom
>>>>> Martin Knobloch
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> OWASP-Leaders mailing list
>>>>> OWASP-Leaders at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> John Wilander, https://twitter.com/johnwilander
>>>> Chapter co-leader OWASP Sweden, http://owaspsweden.blogspot.com
>>>> Conf Comm, http://www.owasp.org/index.php/Global_Conferences_Committee
>>>> My music http://www.johnwilander.com & my résumé http://johnwilander.se
>>>>
>>>>
>>>> _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>
>>>>
>>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20111209/a9f275f8/attachment.html 


More information about the OWASP-Leaders mailing list