On 25 June 2010 21:54, Robert Collins <[email protected]> wrote: > I like the idea of sending emails when important account settings are > changed: it helps with: > - cross site attacks > - apis that permit changing such settings > - screen scraping via embedded browser instances > > and possibly more. > > Its also nonintrusive and straightforward, and we could include a > confirmation token in the email people get sent too, if we felt thats > needed.
Yes, I think sending email to the old/most trusted address is the best practice here. Adding a confirmation click (and I note your "if") does somewhat get in the way of doing things, well, quickly. I think generally the rule should be that we require it for API changes when we require it for changes through the web interface. -- Martin _______________________________________________ Mailing list: https://launchpad.net/~launchpad-dev Post to : [email protected] Unsubscribe : https://launchpad.net/~launchpad-dev More help : https://help.launchpad.net/ListHelp
