In web2py, I used to sign all the AJAX callback URLs, using the URL(..., user_signature=True) method.
In py4web, I don't see any emphasis or use on signed URLs. Why are signed URLs not commonly used in py4web? A digital signature is useful to prevent javascript running from other sites (e.g., www.attack.com) from performing AJAX calls to our site (e.g., www.example.com). Does the same-origin policy prevent these attacks? I think not. The problem is that the same-origin policy is implemented in the browser, with the help of headers returned from the server. Thus, at the point when the policy is enforced, any side effects of the AJAX call (e.g., modifications to stored content) might have already happened. Is my understanding correct? If this is correct, then a way to digitally sign URLs in py4web is needed. Of course, even if we digitally sign the URLs, an attacker script could load the .html page first where the digitally signed URLs are -- but THIS is correctly prevented by the same-origin policy, hopefully. Is my analysis wrong? If we were to implement digitally signed URLs, is there already a random token in the user' session that can be used to sign the URLs? If not it would be easy to add. Sorry if this is kind of trivial to you all; I am just trying to figure out how to do things in py4web that I used to do in web2py... I think as useful practice, I am now going to implement a fixture or something like that to check for signatures... Luca -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/web2py/fbe04016-a07f-4612-9ede-1fb701684fb7%40googlegroups.com.
