Password included in URL when prepping

[merni-ns]

When using the prepping feature, the switchers' password is included directly in the URL. The URL opened is https://www.nationstates.net/template-overall=none/page=un?nation=merni1&password=********&logging_in=1 (I replaced the actual password by *). This is possibly a security issue.

[esfalsa]

Hm, I'm not sure there's a way around this within the scope of a keybinding script. I'm not very well-versed in security (curious if @roavin or @paulhaku have any thoughts here), but I think the main security issues are sending passwords as plaintext in query parameters and storing passwords as plaintext in browser history entries?

With respect to the first, Gauntlet only works on pages with an HTTPS connection to NationStates servers, so it shouldn't be an issue.

With respect to the second, we'll probably need to make use of chrome.history.deleteUrl — I did some quick testing and it seems like history.replaceState and location.replace don't actually remove the original entry from the browser's history, so I don't think there's a client-side solution.

[roavin]

I think the solution here is to simply pass the password as a POST-parameter rather than a GET parameter. That way, it won't be in history, it won't be MIM'd due to TLS, and the only thing that could look at it is something that has webRequest permissions (AdBlockPlus or such).

[merni-ns]

Yeah, that's what I was expecting. After all, that's the way it works on NS without a script (and most other websites, presumably).

------- Original Message ------- On Monday, February 13th, 2023 at 16:50, Roavin @.***> wrote:

I think the solution here is to simply pass the password as a POST-parameter rather than a GET parameter. That way, it won't be in history, it won't be MIM'd due to TLS, and the only thing that could look at it is something that has webRequest permissions (AdBlockPlus or such).

— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you authored the thread.