We've got problems
Toshio Kuratomi
a.badger at gmail.com
Thu Dec 18 22:31:03 UTC 2008
Mike McGrath wrote:
> CSRF:
>
> CSRF is a pretty serious deal, toshio is working on it but I'm sure he can
> use some help.
>
> Ticket: #992
>
Till brought up concerns with a decrease in usability to do it the way
I've outlined. This is certainly a valid problem. The question is
whether it outweighs the benefit of mitigating the effects of programmer
errors. Till didn't reply to my last message... though it might be
that he just decided I was too stubborn to change rather than agreeing
with me :-). If anyone sees a way to reconcile both "click from email"
and "prevent spoofing by default" let me know otherwise I'm committing
code soon.
If anyone wants to help code, this is a problem that is easily broken
into pieces. So one person can get involved with creating our custom
version of tg.url() while someone else updates the identity provider and
someone else updates the BaseClient implementations.
-Toshio
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/fedora-infrastructure-list/attachments/20081218/46603f20/attachment.sig>
More information about the Fedora-infrastructure-list
mailing list