Confirmed users
591
edits
Thunderbird:Autoconfiguration:ConfigFileFormat: Difference between revisions
Jump to navigation
Jump to search
Thunderbird:Autoconfiguration:ConfigFileFormat (view source)
Revision as of 17:23, 17 February 2014
, 17 February 2014→XML: login page URL: Require HTTPS
(→XML: remove login per URL, because no page supports that anymore, to avoid XSS attacks) |
(→XML: login page URL: Require HTTPS) |
||
| Line 146: | Line 146: | ||
<webMail> | <webMail> | ||
<!-- Webpage where the user has to log in manually by entering username | <!-- Webpage where the user has to log in manually by entering username | ||
and password himself. --> | and password himself. | ||
<loginPage url=" | HTTPS required. --> | ||
<loginPage url="https://mail.example.com/login/" /> | |||
<!-- Same as loginAutomaticDOM, but the website makes checks that | <!-- Same as loginAutomaticDOM, but the website makes checks that | ||
| Line 158: | Line 159: | ||
The *Name attributes give the DOM name attribute, | The *Name attributes give the DOM name attribute, | ||
while *Selector attributes give CSS selectors. | while *Selector attributes give CSS selectors. | ||
Don't treat the | Don't treat the IDs given in this XML file as trusted, | ||
but before using them, verify the format | |||
(e.g. only characters and digits for IDs). | |||
If you use powerful functions like jQuery, and the XML returns | |||
you code in the username ID, and you feed it unchecked to jQuery, | |||
it may be executed. | |||
HTTPS is required for the URL. --> | |||
<loginAutomaticDOM | <loginAutomaticDOM | ||
url="https://mail.example.com/login/" | url="https://mail.example.com/login/" | ||