Till Maas wrote: > On Tue November 25 2008, Mike McGrath wrote: > >> GET vs POST is an interesting discussion. From a security point of view >> though the only advantage is in how we log and that GET requests stay in >> the logs. > > There may be also some other issues, e.g. when GET requests are used to > submit > confidential data, because then they may also be stored in the browsers > history. But my concern was not about security issues. > >> Obviously though an authenticated web crawler could do accidently do some >> serious damage. > > It would not be necessarily be serious damage, but the browser's session > management could show annoying beheaviour, because then some requests could > be made everytime a user restores are browser session. > For these issues we could either concentrate on fixing or mitigating them. Fixing them would require the laborious changes I talked about earlier to change the way the framework already processes the POST and GET parameters before they get to us. Mitigation is easier -- we should make it part of our best practices to never have links or GET driven forms that make state changes when designing the UI and templates.
-Toshio
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
