Re: [Fedora Infrastructure] #3796: remove _csrf_token from display URLs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

#3796: remove _csrf_token from display URLs
-------------------------+------------------------------
 Reporter:  till         |       Owner:  webmaster
     Type:  enhancement  |      Status:  new
 Priority:  major        |   Milestone:  HANDWAVY-FUTURE
Component:  Web Content  |     Version:
 Severity:  Normal       |  Resolution:
 Keywords:  EasyFix      |  Blocked By:
 Blocking:               |   Sensitive:  0
-------------------------+------------------------------

Comment (by till):

 The JavaScript snippet should probably be hosted only at
 admin.fedoraproject.org to avoid that people with access to the
 fedoraproject.org web root can manipulate login forms or use each web
 application that includes the snippet with the privileges of each user,
 e.g. by adding
 [[http://en.wikipedia.org/wiki/BeEF_%28Browser_Exploitation_Framework%29|BeEF]]
 to it.

-- 
Ticket URL: <https://fedorahosted.org/fedora-infrastructure/ticket/3796#comment:2>
Fedora Infrastructure <http://fedoraproject.org/wiki/Infrastructure>
Fedora Infrastructure Project for Bugs, feature requests and access to our source code.
-- 
websites mailing list
websites@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/websites
[Index of Archives]     [Fedora Users]     [Linux ARM]     [ARM Kernel]     [Older Fedora Users]     [Fedora Advisory Board]     [Fedora Security]     [Fedora Devel Java]     [Fedora Desktop]     [ATA RAID]     [Fedora Marketing]     [Fedora Mentors]     [Fedora Package Announce]     [Fedora Package Review]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Coolkey]     [Yum Users]     [Yosemite News]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]

  Powered by Linux