#3796: remove _csrf_token from display URLs
-------------------------+------------------------------
Reporter: till | Owner: webmaster
Type: enhancement | Status: new
Priority: major | Milestone: HANDWAVY-FUTURE
Component: Web Content | Version:
Severity: Normal | Resolution:
Keywords: EasyFix | Blocked By:
Blocking: | Sensitive: 0
-------------------------+------------------------------
Comment (by till):
The JavaScript snippet should probably be hosted only at
admin.fedoraproject.org to avoid that people with access to the
fedoraproject.org web root can manipulate login forms or use each web
application that includes the snippet with the privileges of each user,
e.g. by adding
[[http://en.wikipedia.org/wiki/BeEF_%28Browser_Exploitation_Framework%29|BeEF]]
to it.
--
Ticket URL:
<https://fedorahosted.org/fedora-infrastructure/ticket/3796#comment:2>
Fedora Infrastructure <http://fedoraproject.org/wiki/Infrastructure>
Fedora Infrastructure Project for Bugs, feature requests and access to our
source code.
--
websites mailing list
[email protected]
https://admin.fedoraproject.org/mailman/listinfo/websites
