Brian Warner writes:
Any idea how to make that work with a python webbrowser.open(URL) call?
[...] Maybe use a one-time secret URL which emits a page with the
multiple-use CSRF tokens and then self-destructs?
Sure, like password-reset links sent in email. I'm not entirely sure this
approach
Also, how does the standard solution deal with GETs?
You can put the secret parameter in the URL query string, thus
defeating the porpoise.
More to the point, GETs are supposed to be idempotent and safe. Updating
your server's configuration does not fall into that category. Use only POSTs
On Mon, Jan 24, 2011 at 11:44 AM, Brian Warner war...@lothar.com wrote:
I had an idea for addressing #467 (static-server selection) this
morning: so simple and easy to use, I don't know why I hadn't thought of
it before. (actually I do, that's in the second part of this message).
Sounds
Sorry to be a wet blanket, but: I see why you propose this, but I worry
that it will be too inflexible.
A key property is that with some churn things still work. Once you
add 'required', that breaks.
For 'allowed', I would want to phrase it as disable use of this server
because the default in
On Mon, Jan 24, 2011 at 2:23 PM, Greg Troxel g...@ir.bbn.com wrote:
Sorry to be a wet blanket, but: I see why you propose this, but I
worry that it will be too inflexible.
A key property is that with some churn things still work. Once you add
'required', that breaks.
I don't see a
