[Seaside] URL parameters and seaside's security
Kamil Kukura
kamk at volny.cz
Mon Aug 9 23:38:04 CEST 2004
Avi Bryant wrote:
> Yes. This is similar to object-capabilities security: the callback ids
> are capabilities, and if the app doesn't hand them out there's really no
> way for you to make it do something. Once the app has handed one out,
> and as long as the capability hasn't been revoked/expired, it doesn't
> perform any further checks - anyone with that key can perform the
> action. This is potentially dangerous, however (for example, someone
> could inadvertently give out a Seaside URL through a referer header),
> and one thing I've meant to do is provide optional IP-based or
> cookie-based restrictions.
So right now to securely go to external URL is something like following?
self session once: [self session redirectTo: 'http://...']
> I think they're stored in a Dictionary at some point, and so it's just
> up to the hashing method. Would it be helpful to have the order be more
> consistent?
Hmm, to me coherent param=value is more sexy, so there could be
parameter like _c= for callback? Hmm, I adapt with others' opinion.
--
Kamil
More information about the Seaside
mailing list