Am 2009-09-18 14:05, schrieb Alexander Klimetschek (JIRA):
Correct, both are XSS vulnerable. Only plain basic auth is not XSS vulnerable.
Please excuse me hijacking this thread.
If I want to prevent XSRF, cross site request forgery, a simple recipe
is also to have a shared secret between client and server, yet, one that
is not specific to a user, but specific to a transaction.
A more RESTful alternative was to have certain transactions always
prompt the user for credentials. Does Sling have such forced "logout"
method? I wonder if I can send a "401 Unauthorized" from esp, that would
make the browser display a prompt, even if the requested was already
granted, and only later process a request? But then, how to know, its
the second time?
--
peter
