[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Global Namespaces

Subject: Re: Global Namespaces
From: Chris Travers <..hidden..>
Date: Sat, 13 Mar 2010 12:27:34 -0800

On Sat, Mar 13, 2010 at 12:12 PM, Luke <..hidden..> wrote:
> Wouldn't it be somewhat more secure, not to use get at all?
> Or, at least, very minimally?
>
> We won't be sending passwords that way any more, but still...
>

Well, it doesn't entirely prevent XSRF attacks, so the benefit would
be very minimal.

Furthermore, if we agree that data shouldn't be saved to the db on a
GET request, then the XSRF benefits are the same.

I guess there is a question why
reports/trial_balance.html?from=2009-01-01&to=2009-12-31&ignore_yearend=none
would be any less secure than requiring a post.

Best Wishes,
Chris Travers

Follow-Ups:
- Re: Global Namespaces
  - From: Luke

References:
- Global Namespaces
  - From: Chris Travers
- Re: Global Namespaces
  - From: John Locke
- Re: Global Namespaces
  - From: Chris Travers
- Re: Global Namespaces
  - From: Luke

Prev by Date: Re: Global Namespaces
Next by Date: Re: Global Namespaces
Previous by thread: Re: Global Namespaces
Next by thread: Re: Global Namespaces
Index(es):
- Date
- Thread