On Sep 6, 2008, at 11:56 AM, Fabien Potencier wrote: > > > Kris Wallsmith wrote: >> ...but I generally try to obscure the technology behind the sites I >> work >> on. For example, I always remove the /sf alias from the web >> directory in >> production and use a custom CSRF field name. >> >> I see a few more "tells" in the current 1.1 and 1.2 branches that may >> not be as easy to opt-out of, namely the [1.1, 1.2] sf_format and >> [1.2] >> sf_method request parameters. Is there a way to customize these >> parameter names or disable that magic altogether and rely solely on >> HTTP >> headers? If not, this "magic" smells a bit like the whole >> register_globals debacle... > > sf_format is never ever revealed in HTML as most of the time, it's > embedded in your routes.
Yes, but someone could add ?sf_format=json to a URL and possibly alter the response, thus revealing the framework. > The sf_method parameter is not mandatory. Just don't use PUT and > DELETE > in your browser. Same case here, someone could add ?sf_method=PUT. If this is a case of "convention over configuration" so be it, but it seems easy enough to add a few parameters to factories.yml and the sfWebRequest class. Thanks again, Kris > Fabien > >> >> Thanks, >> Kris >> >> >>> > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "symfony developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/symfony-devs?hl=en -~----------~----~----~----~------~----~------~--~---
