[Catalyst] Re: REST - like uri design for CRUD
Christopher Laco
claco at chrislaco.com
Wed Jan 23 03:29:33 GMT 2008
Aristotle Pagaltzis wrote:
> * Peter Karman <peter at peknet.com> [2008-01-23 03:50]:
>> In my apps, I do server-side auth checks to verify that users
>> can't act on data they should not have access to.
> =
> Peter, meet XSRF. XSRF, meet Peter.
> =
> :-)
> =
> My point with `<img src=3D"/foo/delete">` was that an attacker
> tries to get an authenticated and authorised user to visit a
> page which contains that tag.
> =
> Or maybe an authenticated and authorised user has software like
> the Google Web Accelerator installed.
> =
> Regards,
But surely the same is true for POST as well using a form/javascript.
So what does that leave?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 249 bytes
Desc: OpenPGP digital signature
Url : http://lists.scsys.co.uk/pipermail/catalyst/attachments/20080122/8ca8=
1de8/signature.pgp
More information about the Catalyst
mailing list