On Tue, 07 Sep 2010 14:45:49 +0200
Pavel Zuna <pz...@redhat.com> wrote:

> Enough text. Waiting for comments. :)

I have one question.
Have you made any consideration wrt security ?

For example you say that you can push a complete state in a URL so that
you can bookmark it.
How does this cope with authentication ?
Is there any way to validate the state is legit server side, or does it
mean we make it an easy target for XSS exploits ?
Last thing I want to see is an admin clicking a link and finding out
that link actually granted some permission to the malicious user that
sent him an carefully crafted email ...

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to