Florent Guillaume wrote:
> Oliver Bleutgen  <[EMAIL PROTECTED]> wrote:
>>The issue of client side trojan recently came to my mind again.
>>I think zope's management methods (the potentially destructive ones)
>>should not accept REQUESTs with REQUEST_METHOD "GET".
> I like the idea of trying to secure that kind of things a lot.
> Unfortunately, considering how trivial it is for Javascript code to do a
> POST programmatically, I don't see how that proposal would actually
> help.

Although I repeat myself, implementing this proposal would give me a lot 
of options to prevent myself from this kind of attack, completely or 

- In Internet Explorer I can disable javascript. (problem solved)
- In Internet Explorer I use the zone restrictions (prevents attacks 
from untrusted servers)
- I can do the same in mozilla
- additionally, in mozilla I can just disable form submitting in 
javascript, with something like (this is surely wrong)
user_pref("capability.policy.default.HTMLFormElement.submit", "noAccess");
Put this your prefs.js file and you are done.

Really, it _would_ help.


Zope-Dev maillist  -  [EMAIL PROTECTED]
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope )

Reply via email to