On Tue, 07 Sep 2010 14:45:49 +0200
Pavel Zuna <pz...@redhat.com> wrote:

> Enough text. Waiting for comments. :)

I have one question.
Have you made any consideration wrt security ?

For example you say that you can push a complete state in a URL so that
you can bookmark it.
How does this cope with authentication ?
Is there any way to validate the state is legit server side, or does it
mean we make it an easy target for XSS exploits ?
Last thing I want to see is an admin clicking a link and finding out
that link actually granted some permission to the malicious user that
sent him an carefully crafted email ...


Simo Sorce * Red Hat, Inc * New York

Freeipa-devel mailing list

Reply via email to