Brian Warner writes: > Any idea how to make that work with a python "webbrowser.open(URL)" call? > [...] Maybe use a one-time secret URL which emits a page with the > multiple-use CSRF tokens and then self-destructs?
Sure, like password-reset links sent in email. I'm not entirely sure this approach would work for this purpose, however. > Also, how does the "standard solution" deal with GETs? You can put the secret parameter in the URL query string, thus defeating the porpoise. More to the point, GETs are supposed to be idempotent and safe. Updating your server's configuration does not fall into that category. Use only POSTs for changes in state, just like the HTTP spec says. Hilariously, the Ruby community found this out the hard way when Google Web Accelerator (a cacheing proxy just like any other) prefetched links in Rails apps like Delete Item and Buy Now and Blow Up Everything. (Note that browsers also prefetch now, too.) > It seems to me that this technique means all your regular href= links to > similarly protected resources have to be expressed with POST forms and > buttons, which would be kinda unfortunate. If you crave the visual style of text links, you can always give them JavaScript event handlers: <a onclick="deleteAccount()">Delete Account</a> No href for GWA or whatever to follow. -- http://noncombatant.org/ _______________________________________________ tahoe-dev mailing list [email protected] http://tahoe-lafs.org/cgi-bin/mailman/listinfo/tahoe-dev
