This adds the BOM to all HTTP pages as per the HTML5 spec and ensures
all pages use UTF-8 as their meta charset (which is still kept for
compatibility with older browsers).
This is mostly useful for the testclient, which otherwise can't interact
with the login server without huge hacks like the iframe copy/paste.
Requiring an external sid resolves any security issues; sid being the
only cookie we use for security-sensitive things, and also being our
CSRF token.
In theory, this is also useful for clients that don't support cookies,
although I'm unsure how they'd get their hands on an sid in the first
place. I guess just run login actions?
For too long, ntbb-session and ntbb-database have been maintained
outside of this repo, but no longer! All these files are now part of the
repository, making it significantly more self-contained.
If I had to say why it took this long, I think it was mostly inertia. It
was easier leaving them where they were than having to audit them for
private keys in the wrong places, etc.
I'm starting to think of PS more as sim first, website secondary than
the other way around, now. Especially now that we don't have a forum,
the website itself isn't really important... Maybe one day I'll get rid
of the landing page and make the sim itself the first thing you see when
you hit pokemonshowdown.com... but today is not that day!
The repo is still not "batteries-included" since I am not going to teach
anyone how to set up PHP and MySQL or even get the config files working.
But for anyone who wanted their own client, well, it gets a lot easier
to do now.
A version of Chrome suddenly started complaining about PS's
cross-origin communication system. These changes seem to mostly
solve the issue.
This is kind of voodoo programming, but oh well. You do what you have
to to work around obscure client bugs.
This moves most of the logic of action.php into a separate file
lib/dispatcher.lib.php and separates the actions into ladder-related
actions and non-ladder-related actions. This is intended to make it
possible to have a second action.php that handlers only ladder-related
actions, which can run on the main server computer and allow
that computer to make HTTP requests to `localhost`, which should
help reduce ladder errors.
The `serverlist` action returns a list of registered servers. It accepts
cross-domain requests, which is safe since it merely returns publicly
available information.
The Pokemon Showdown server already enforced a maximum username length
of 18 characters, but the login server allowed registering names up to
63 characters long.
- check timestamp in index.php rather than sim.js to reduce the chance
of false positives caused by the user's internet connection being
slow or the user's clock being slightly wrong
- require timestamp logging to be a POST request
As of this commit, if a registered server does not provide us with
a server token, authentication for `ladderupdate` is based purely on
the IP address of the server. This technically also applies to
the `prepreplay` action, but only the main server can use that at
this time, so that does not actually change anything.
This avoids an attack where a malicious webpage contains
<script id="data" type="application/json"
src="http://play.pokemonshowdown.com/~~showdown/action.php?act=upkeep"/>
The webpage could then read the value of the `data` element using
standard DOM methods in order to steal the user's login assertion
and login as the user on the `showdown` server.
This commit implements the following:
- each server now has a separate session with a 'sid' cookie
scoped to /~~server:port
- 'sid' cookies are now HTTP-only and not accessible in JavaScript
- the showdown_token cookie is removed
Together, these changes fix various XSS attacks.
