Terri wrote: > On Jun 12, 7:07 am, Gervase Markham <[EMAIL PROTECTED]> wrote: >> True. SSP in its current form is not a mechanism for locking down all >> page communications > > Shouldn't it be?
What's the use case for locking down all page communications? > Site admins will already have to provide all the > necessary information in order to be SSP compliant, so it makes sense > to me to give them extra protection. Total lockdown is a side-effect of a particular implementation strategy. If you can provide a use case, it may influence which strategy is used. >> The restriction of SSP to POST also means that it wouldn't be useful to >> prevent "bandwidth stealing". > > It also means that it wouldn't be that useful to prevent cross site > request forgery (realistically, "safe" operations aren't unless your > web programmers abide by them, and I would venture that many don't). I would venture that most do. Doing a web purchase via a GET runs into problems with e.g. the user doing a Reload. Gerv _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security