Hi, > A quick fix at the TG level would be to have JSON controllers only return > > JSON for POST requests. > > And then break caching and the whole idea of POST / GET and data > modification...
Well, this is the fun of quick fixes - they're rarely perfect! The other options are: 1) To make the JSON returned deliberately invalid javascript, and have the client library patch this up 2) To include an authorisation token in the URL of the JSON callback (e.g. /getinfo?tok=1234) Both of these would need a fair whack more work. Personally I would rather be secure than have cacheing work. And the POST/GET separation, well, I agree with the cautions about not modifying on GET requests, but having a POST request that doesn't actually modify doesn't seem particularly bad. Paul --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "TurboGears" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/turbogears?hl=en -~----------~----~----~----~------~----~------~--~---
