On 4/7/11, Nick <suckless-...@njw.me.uk> wrote:
> Quoth Bjartur Thorlacius:
>> On 4/7/11, Adam Strzelecki <o...@java.pl> wrote:
>> > (2) surf-2-delete-_SURF_GO-once-received.patch
>> >
>> > This xprop (atom) may be used to tell *surf* to go to specific URL. It
>> > is
>> > safer to remove this atom just after it is set in case we send some URL
>> > containing passwords or auth tokens such as
>> > http://login:mypassw...@myserver.com/
>> > Anyway _SURF_URI will represents current page URL, so keeping _SURF_GO
>> > makes
>> > no sense. In our case it is matter of safety to not expose this one.
>> >
>> Is there no race condition inherent? What happens if you try to read
>> _SURF_GO just after it's set?
>
> _SURF_GO shouldn't be read, though, it's only used for telling surf
> to load a new page. Unless I'm misunderstanding your point.
>
If it can't be read, then what's the original security breach?
