Mike McGrath wrote: > CSRF: > > CSRF is a pretty serious deal, toshio is working on it but I'm sure he can > use some help. > > Ticket: #992 > Till brought up concerns with a decrease in usability to do it the way I've outlined. This is certainly a valid problem. The question is whether it outweighs the benefit of mitigating the effects of programmer errors. Till didn't reply to my last message... though it might be that he just decided I was too stubborn to change rather than agreeing with me :-). If anyone sees a way to reconcile both "click from email" and "prevent spoofing by default" let me know otherwise I'm committing code soon. If anyone wants to help code, this is a problem that is easily broken into pieces. So one person can get involved with creating our custom version of tg.url() while someone else updates the identity provider and someone else updates the BaseClient implementations. -Toshio
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
