> I know that there are security experts/security "fans" watching over > web2py's code, so I'll leave this topic to them for further analysis, but > as Anthony suggested it seems that web2py is fine. Django and Rails use a > somewhat "static" token, while web2py generates a new one for every form. > This cripples a little bit the javascript interaction, but seems to give > web2py's a nicer security model until BREACH gets somehow fixed at higher > levels. >
Note, I think we're OK on CSRF, but there may be other ways to use the exploit (e.g., to get PII from a page). Anthony -- --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
