Thanks to @sebsel for pointing this out!
Quill has bookmarklets to quickly launch a few of the interface, specifically replies, bookmarks and favorites. I use the "favorite" bookmarklet on a regular basis, as it allows me to favorite the page I am viewing with just one click. The bookmarklet is quite simple. It essentially just redirects to Quill's "favorite" page with the URL of the page the browser was previously on in the query string, and it also appended a parameter "autosubmit=true".
Sebastiaan noticed that this was actually quite trivial to craft an attack for, by embedding an iframe in a web page with a URL of:
<iframe src="https://quill.p3k.io/favorite?url=http://attacker.example.com/&autosubmit=true">
The Javascript on the page would recognize the "autosubmit" parameter, and then helpfully click the "favorite" button for you! The worst part is it would be completely invisible! (This would only work if you were already logged in to Quill, but since Quill sets long cookie lifetimes it was likely you would have an active session already.)
I can't believe I didn't notice this when I added that feature!
My solution for this is to use a signed token that gets included in the bookmarklet URL. Now the bookmarklet includes a signed token with the autosubmit=true parameter. The only way to get that token is when you are signed in, and it's also keyed to your account. This means an attacker now has no way to generate a token that will trigger the automatic clicking of the "like" button. When Quill renders the "favorite" page, it first checks whether there is a token and validates that it matches the signed-in user, and if so, then it includes the Javascript that automatically clicks the button.
