As the likes of homepages.inf.ed.ac.uk and groups.inf.ed.ac.uk are shared user services, anyone using some sort of authentication/authorisation to restrict access, has to trust the other users of those web services.
A lot of the web’s security model relies on the “same origin policy”.
which limits the access scripts have to data (particularly authentication data) served to/from different sites. So if a potential victim is using homepages.inf, but is duped into executing a script from badguy.org, that script would not have access to browser data relating to homepages.inf.
However if the “badguy” script is served by a homepages URL, then it would have access to any other browser data associated with homepages.inf, eg authentication data, as it would be within the “same origin”.
All users of the computing systems are bound by the University’s Computing Regulations
and intercepting and impersonating someone else on a computing system is an offense
so none of that should be going on our servers, but users of a shared web service, like homepages.inf and groups.inf should be aware of this if they are relying on authentication to limit access to sensitive or important data.
In the future we will probably look at providing equivalent homepages.inf and groups.inf services, where the hostname is unique between users and groups, so each user/group have their own “origin”, but that’s unlikely to happen in the near future.
In the meantime if you are making use of authentication/authorisation on a shared web service and wish to discuss your options, please use the support form
to contact us.