Edgewall Software

Changes between Initial Version and Version 1 of Ticket #3360, comment 30


Ignore:
Timestamp:
Feb 24, 2012, 7:47:39 AM (8 years ago)
Author:
Peter Suter

Legend:

Unmodified
Added
Removed
Modified
  • Ticket #3360, comment 30

    initial v1  
    22> Just one doubt: do you use a `GET` request to save the preferences? This opens the door to XSRF attacks. Normally, all mutating operations must use `POST` requests, and must include the `__FORM_TOKEN`. The token should be available in !JavaScript in the global variable `form_token`, and can be passed with the request.
    33
    4 Right, thanks. Does [changeset:f9bee83cd0b4/psuter this] look ok?
     4Right, thanks. Does [changeset:f9bee83cd0b4/psuter this] look ok?
     5
     6Edit: Oops, I forgot to require `POST` requests. Added [changeset:3d7582dbc576/psuter here]. ([http://trac.edgewall.org/changeset/3d7582dbc576bdc783946da7bce25b0036b25496/psuter?old=8a0274183119696ebb760692d58b1e3d080668e2#file1 Full diff])