[Freeipa-devel] webUI code restructuring [wall of text, diagrams, ... you've been warned!]
Simo Sorce
ssorce at redhat.com
Wed Sep 8 18:47:18 UTC 2010
On Tue, 07 Sep 2010 14:45:49 +0200
Pavel Zuna <pzuna at redhat.com> wrote:
> Enough text. Waiting for comments. :)
I have one question.
Have you made any consideration wrt security ?
For example you say that you can push a complete state in a URL so that
you can bookmark it.
How does this cope with authentication ?
Is there any way to validate the state is legit server side, or does it
mean we make it an easy target for XSS exploits ?
Last thing I want to see is an admin clicking a link and finding out
that link actually granted some permission to the malicious user that
sent him an carefully crafted email ...
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list