Hi
Top posting, don't rip my head off.
I'll try explaining a bit better. English isn't my first language and
it can be a bit hard explaining too abstract things sometimes. So a
more hands on try coming up:
In my catalyst app I have this sub (not really, but this makes things
easier to follow):
Hi
It gives me great pleasure to announce the latest maintenance release
of the Catalyst 5.80 series.
There are two significant changes in this release - one is to
significantly optimise component resolution, and the other to refactor
the debug console output generation code to make it
On Sun, Mar 28, 2010 at 7:12 AM, Jon mailinglists jon.ml...@gmail.comwrote:
In my catalyst app I have this sub (not really, but this makes things
easier to follow):
sub get_info : Local {
my ($self, $c) = @_;
my $info = $c-user-member_info;
my $res =
On 28 Mar 2010, at 15:12, Jon mailinglists wrote:
I then login to my application in one tab, and in another tab access
this js/html. That will give back the data about me since I've got a
valid session which gets sent to my catalyst server. That means
evilempire.com has access to my logged in
On 28 Mar 2010, at 22:41, Bill Moseley wrote:
Hopefully, that's clear -- and correct. ;)
Yes, I think so - in the reply I just sent to the list to this thread
I had entirely neglected to notice that the main issue is the JSONP
thing, rather than the general case of XSRF.
Not to say that
On Sun, Mar 28, 2010 at 3:13 PM, Tomas Doran bobtf...@bobtfish.net wrote:
Speaking of XSRF:
It would be possible to parse the HTML your app output, add an extra hidden
field to any forms you had generated in the page, and then look for a
previously generated token and redirect / refuse the
On 29 Mar 2010, at 01:06, Bill Moseley wrote:
I do this -- every POST must include token, and the token can only
be used once. That means the the form must be fetched before bing
posted (to generate the token).
Have anything generic you'd care to share? :)
However this would
On Sun, Mar 28, 2010 at 6:05 PM, Tomas Doran bobtf...@bobtfish.net wrote:
On 29 Mar 2010, at 01:06, Bill Moseley wrote:
I do this -- every POST must include token, and the token can only be used
once. That means the the form must be fetched before bing posted (to
generate the token).