Hi, Enabling use_secure_urls has some side effects which I'm looking at how to solve.
For example, a user might have defined a bookmark to the RC login page (www.example.com/webmail/). This works find just as long as the user is not yet logged in. However if the user is already logged in and the user wants to check whether there is any new mail and therefore clicks the bookmark, an error page with "Access to this service was denied due to failing security checks!" is shown. The user should then click the "click here to try again" link which will redo the request but now with the correct token in the URL. Since the GET request is redone but now with the correct token added, to me it looks like checking the URL token for GET requests will not bring additional security because if the user clicks the "click here to try again" link, the request will be done anyway. Is it possible to disable the secure URL check for certain pages and/or requests? Perhaps with a plugin? or is it all or nothing? Kind regards, Martijn Brinkers _______________________________________________ Roundcube Users mailing list [email protected] http://lists.roundcube.net/mailman/listinfo/users
