On 11/25/2013 05:55 PM, Chris Double wrote:
If I understand corrctly, Ur/Web has built in CSRF protection for forms. Does this extend to post requests done via 'rpc' calls in 'onclick' handlers on buttons? For example:<button onclick={fn _ => rpc (delete_something ))/> Can the POST request that occurs in the onclick be recorded and replayed, or run via an evil site in a iframe (or any other CSRF vector)? A quick test gave me a cookie error so I'm thinking it's safe but I'd like to confirm.
All requests that cause persistent side effects are meant to be CSRF-protected. There's something in particular in there for [rpc]. I'm not sure offhand if there are holes, maybe via 'safeGet', but the intent is that you're OK if you don't go making funny .urp settings.
_______________________________________________ Ur mailing list [email protected] http://www.impredicative.com/cgi-bin/mailman/listinfo/ur
