[Seaside-dev] Seaside and CSRF attacks
tim Rowledge
tim at rowledge.org
Tue Aug 21 21:30:09 UTC 2018
> On 21-08-2018, at 1:07 PM, Esteban A. Maringolo <emaringolo at gmail.com> wrote:
>
> Hi,
>
> On 21/08/2018 16:44, Max Leske wrote:
>
[snip useful stuff]
> I'm working with Seaside in VW, let me know if you need any further help
> with that. Seaside in VW isn't as updated as in other platforms.
Thanks; what would be really useful to me (and I feel it would make a good explanatory page for the seaside.st site as well) would be pointers to the right basic class(es) and methods to provide a simple example of the sequence of events that we get.
With much hand-waving I guess we might be able to say something like -
A buttonwidgetclass has created html that shows a button on your page. clicking on the button sends a URL like this {pighrpghrgrud.eu/dsifjjrgirjr/wibble?soopasekritkey} to the server and it gets routed to thingummyclass by the dispatch code in whotzitclass>>blurgmethod. The soopasekritkey included in the URL is checked against the key(s) for classA/classB/whatever which ensures that only requests made by pages generated by this server in this session during this phase of the moon (etc) are handled (what happens to other ones? Can we make things at the bad guys' end blow up? I wish).
A diagram would probably help a lot to make a useful page.
tim
--
tim Rowledge; tim at rowledge.org; http://www.rowledge.org/tim
"!" The strange little noise you make when you can't scream...
More information about the seaside-dev
mailing list