Christopher Lemmer Webber wrote on 09/03/2018 06:18 AM:
https://docs.racket-lang.org/web-server/faq.html#%28part._.What_special_considerations_are_there_for_security_with_the_.Web_.Server_%29
(I agree with the FAQ btw that a cookie-based approach has major downsides
fwiw.)
For a credible
Philip McGrath writes:
> My understanding is that continuation URIs are not intended to be
> secret/protected by default, just as a URI like
> https://example.com/comment/confirm?post-id=12345=My+great+comment
> doesn't include any security measures. The main way to add security to the
> URIs, as
Neil Van Dyke writes:
> Christopher Lemmer Webber wrote on 09/01/2018 09:05 PM:
>
>> Waterken uses URI fragments to get around this in a secure way, since
>> browsers do not transmit the URI fragment to the server:
>
> There's lots of ways that URL fragment identifiers can leak from a
> browser,
Greg Hendershott writes:
> 1. The web server FAQ has a brief section about this:
>
> https://docs.racket-lang.org/web-server/faq.html#%28part._.What_special_considerations_are_there_for_security_with_the_.Web_.Server_%29
Ah, hadn't seen that! It also refers to the Referer issue.
(I agree with
Jesse Alama writes:
> On 2 Sep 2018, at 3:05, Christopher Lemmer Webber wrote:
>
>> http://localhost:34691/servlets/standalone.rkt;(("k" . "(1 1 2810783)"))
>>
>> That's the id used to retrieve the continuation, right? Presumably
>> this
>> is effectively the session of something someone is
1. The web server FAQ has a brief section about this:
https://docs.racket-lang.org/web-server/faq.html#%28part._.What_special_considerations_are_there_for_security_with_the_.Web_.Server_%29
2. SSL is good to use in any case. Even if you believe your site
doesn't handle any sensitive user
Hi Christopher,
On 2 Sep 2018, at 3:05, Christopher Lemmer Webber wrote:
I appreciate the goal of the continuation web server in Racket as
trying
to avoid the "inversion of control" problem which plagues much web
development. But I wonder if the default continuation web server is
very
Christopher Lemmer Webber wrote on 09/01/2018 09:05 PM:
Waterken uses URI fragments to get around this in a secure way, since browsers
do not transmit the URI fragment to the server:
There's lots of ways that URL fragment identifiers can leak from a
browser, to untrustworthy parties, or to
I can't address all of the considerations you raise, but I can report on a
bit of experience using stateless #lang web-server servlets. (I have no
real experience with the stateful version, which I believe presents
different considerations.)
My understanding is that continuation URIs are not
9 matches
Mail list logo