On 1/24/11 7:43 PM, Chris Palmer wrote: > To avoid the $SECRET-in-URL leaking problem, put $SECRET in a hidden > form field that is sent to the server in POST requests to update the > configuration, rather than in a leakable URL. (Secrets don't belong in > names, no matter how much you want them to.) > > Then you'd have a solution identical to the standard CSRF solution for > non-cap web apps. It is proven to work well. > > Of course, making $SECRET short-lived is still a good idea.
Hmm, I like the idea overall, although of course it explicitly disallows the idea of bookmarking your access to the control panel, but that's kind of the point. Any idea how to make that work with a python "webbrowser.open(URL)" call? I don't think there's any way to construct a URL which embeds the hidden-form arguments so that you can tell a browser's remote-control API to pop open a window to the control-panel. Maybe use a one-time secret URL which emits a page with the multiple-use CSRF tokens and then self-destructs? Also, how does the "standard solution" deal with GETs? It seems to me that this technique means all your regular href= links to similarly protected resources have to be expressed with POST forms and buttons, which would be kinda unfortunate. thanks! This is just the sort of discussion I was hoping for! -Brian _______________________________________________ tahoe-dev mailing list [email protected] http://tahoe-lafs.org/cgi-bin/mailman/listinfo/tahoe-dev
