On 3/27/11 10:28 AM, Mike Hansen wrote:
Hello,
On Sun, Mar 27, 2011 at 1:08 AM, Jason Grout
<jason-s...@creativetrax.com> wrote:
Rado or Mike: how do you think we should get jmol requests to be recognized
as requests coming from an authenticated user?
The issue is that the secure cookie that Flask uses is sent as
httponly, which the Java applet won't send. Adding this patch to the
notebook code will fix that:
You're brilliant!
As I understand it, putting httponly=False opens us up to another avenue
of cross-site scripting attacks, though [1]. If there's any way to
avoid it, it seems that would be good. Here are some possible options:
1. Use javascript to request the files for the java applet, instead of
making the applet request the files
2. Making the .jmol and .jmol.zip files not require authentication to
retreive
What do you think, Mike?
Thanks,
Jason
[1] See
http://www.codinghorror.com/blog/2008/08/protecting-your-cookies-httponly.html,
thought http://www.gnucitizen.org/blog/why-httponly-wont-protect-you/
presents the case that httponly does not protect you against everything.
--
To post to this group, send an email to sage-devel@googlegroups.com
To unsubscribe from this group, send an email to
sage-devel+unsubscr...@googlegroups.com
For more options, visit this group at http://groups.google.com/group/sage-devel
URL: http://www.sagemath.org
