On Saturday, May 19, 2012 11:44:55 AM UTC-4, Lynn Nagrani wrote:
My website has chat with real time monitor all my web visitors. Every now and then I see a present link like:
file:///Users/jasonfarnham/Desktop/Desktop/christmas
I'm guessing this means a web visitor is somehow downloading one of my web pages. I have tried to get file:///Users . . . to show up from my computer but have been unable to do so. I've added the web visitor IP address to the Deny Table every time I see this. Am I over reacting or what is happening here?
Lynn,
You are correct that a URL beginning with file:// references a local file on the visitor's computer. You will not have access to that path on your system and thus I wouldn't worry about it much if I were you. It is typical to see local files as referrer URLS when either someone has saved a page that links to yours on their local computer or if they are the recipient of a message from one of the "Email This Page" button that is in the File menu of many browsers.
I am not aware of any extraordinary security vulnerabilities that you would face from having the chat widget on your site that is copied to a user's local system. At worse you might get a little spam. I do not see how that would enable an adversary to gain access to your systems. Be sure to pay attention to the usual cross-site request forgery vulnerabilities on your server-side coding and you will be fine.
If you are concerned with website security in general, a good resource to start with is the OWASP TOP 10 list at
https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project. If in your website coding, you actively address all of those issues then you are well on your way to being one of the most secure websites on the internet!
I hope this helps.
Frank