http://www2.csoonline.com/exclusives/column.html?CID=33395
Article on Cross Site Request forgery, saying that only a solution
internal-to-the-server can break the technique, and only if
it’s so pervasive that the attack itself becomes worthless.
Sorry I’m asking you to forward, but this matters!
Thanks,
-Antryg
Antryg Bogus Address wrote:
http://www2.csoonline.com/exclusives/column.html?CID=33395
Article on Cross Site Request forgery, saying that only a solution internal-to-the-server can break the technique, and only if
it’s so pervasive that the attack itself becomes worthless.
Sorry I’m asking you to forward, but this matters!
I use news.gmane.org for viewing/posting to comp.lang.ruby.rails. No
need for a google account.
cheers,
mick
Article on Cross Site Request forgery, saying that only a solution internal-to-the-server can break the technique, and only if
it’s so pervasive that the attack itself becomes worthless.
I haven’t been keeping up on RoR, but different frameworks such as
Seaside (Smalltalk) and Lift/Liftweb (Scala) avoid the issue by using
mapped tokens. RoR might have extensions/plugins that offer the same
functionality. I am unfamiliar how TG, Wicket or other [Ruby] web
frameworks avoid/handle the problem. In a sense, this is just an
extension of the “destructive GET requests” that RoR worked to remove
~1.2 (IIRC).
That being said, wrong ML