[Seaside] URL parameters and seaside's security

Kamil Kukura kamk at volny.cz
Mon Aug 9 23:38:04 CEST 2004

Avi Bryant wrote:
> Yes.  This is similar to object-capabilities security: the callback ids 
> are capabilities, and if the app doesn't hand them out there's really no 
> way for you to make it do something.  Once the app has handed one out, 
> and as long as the capability hasn't been revoked/expired, it doesn't 
> perform any further checks - anyone with that key can perform the 
> action.  This is potentially dangerous, however (for example, someone 
> could inadvertently give out a Seaside URL through a referer header), 
> and one thing I've meant to do is provide optional IP-based or 
> cookie-based restrictions.

So right now to securely go to external URL is something like following?

	self session once: [self session redirectTo: 'http://...']

> I think they're stored in a Dictionary at some point, and so it's just 
> up to the hashing method.  Would it be helpful to have the order be more 
> consistent?

Hmm, to me coherent param=value is more sexy, so there could be 
parameter like _c= for callback? Hmm, I adapt with others' opinion.


More information about the Seaside mailing list