(In reply to comment #9)
> @Mike Connor - "I think I'd lean towards disabling the view source command on
> error pages entirely, it doesn't seem like its useful, and has odd side effects
> like this."
>
> Er, it would be very useful, actually, when trying to clean up problems.
> reddragdiva.co.uk just got hit by the latest SQL injection vulnerability in
> Coppermine, and I wanted to "view source" to see just what the malware
> StopBadware was seeing was. I couldn't in Minefield. I had to do it in
> Konqueror. Making people switch browsers wasn't considered a good move in bug
> 422410 (option to view a malware page) - it's not clear why it would be a good
> move here.
I sympathize with what you're saying here - certainly it is in everyone's best interests for site operators to find badness as quickly as possible. However, any attempt to load the malware page, even in view source, should be perceived as basically saying "bring it on." More than once the idea has been floated that we should use view source as a "handle with care" solution, and it certainly does narrow the attack surface, but it doesn't eliminate it, despite creating that illusion. Attacks against our network code, our header processing, our parsing, would all still work and so the appearance that it is "safe" to view source would be rather destructively misleading in many cases.
As you mention, bug 422410 was eventually resolved to allow users who need to see the page access. We hope that users never do, but sysadmins may need to, and ultimately, as you can see in that bug, it was unclear which decision netted safer, in the end. For the case you're describing, you could now visit the page and make the determination that way. Yes, doing so would put you at risk (as would visiting it in another browser). My advice if you wanted to investigate from a safe distance would be to use a tool like curl or wget to examine the page source without any interpretation, since even view source is no guarantee.
(In reply to comment #9)
> @Mike Connor - "I think I'd lean towards disabling the view source command on
> error pages entirely, it doesn't seem like its useful, and has odd side effects
> like this."
>
> Er, it would be very useful, actually, when trying to clean up problems.
> reddragdiva.co.uk just got hit by the latest SQL injection vulnerability in
> Coppermine, and I wanted to "view source" to see just what the malware
> StopBadware was seeing was. I couldn't in Minefield. I had to do it in
> Konqueror. Making people switch browsers wasn't considered a good move in bug
> 422410 (option to view a malware page) - it's not clear why it would be a good
> move here.
I sympathize with what you're saying here - certainly it is in everyone's best interests for site operators to find badness as quickly as possible. However, any attempt to load the malware page, even in view source, should be perceived as basically saying "bring it on." More than once the idea has been floated that we should use view source as a "handle with care" solution, and it certainly does narrow the attack surface, but it doesn't eliminate it, despite creating that illusion. Attacks against our network code, our header processing, our parsing, would all still work and so the appearance that it is "safe" to view source would be rather destructively misleading in many cases.
As you mention, bug 422410 was eventually resolved to allow users who need to see the page access. We hope that users never do, but sysadmins may need to, and ultimately, as you can see in that bug, it was unclear which decision netted safer, in the end. For the case you're describing, you could now visit the page and make the determination that way. Yes, doing so would put you at risk (as would visiting it in another browser). My advice if you wanted to investigate from a safe distance would be to use a tool like curl or wget to examine the page source without any interpretation, since even view source is no guarantee.