Till Maas wrote: > On Tue November 25 2008, Toshio Kuratomi wrote: >> Till Maas wrote: > >>> It is recommended to not use GET requests to change state on the server, >>> therefore it would be probably better to change these GET requests to >>> POST requests. >> The proposal doesn't specifically mention POST there as well but it >> should to make things clearer: >> >> "Every time we submit a form or make a GET request that can change state >> on the server" >> >> s/submit/POST/ >> /me changes that now. >> >> The reasons the proposal is explicit about GET are: >> >> 1) We'd have to constantly audit code for places where GET is being used >> to alter state and change that. This is doable if the app authors are >> aware of this but not so scalable if it's me going through and making >> those changes. > > Now I am confused. Do you want to require the token for every request of an > authenticated user then, regardless of whether or not they can change state > on the server? > To be easy to code, require the token for every request of an authenticated user. -Toshio
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
