Please forward to RoR crowd ( my news-server doesn't carry, and I'm

[Antryg Bogus Address]

http://www2.csoonline.com/exclusives/column.html?CID=33395

Article on Cross Site Request forgery, saying that only a solution internal-to-the-server can break the technique, and only if
it's so pervasive that the attack itself becomes worthless.

Sorry I'm asking you to forward, but this matters!

Thanks,

-Antryg

 

[Michael Hollins]

http://www2.csoonline.com/exclusives/column.html?CID=33395

Article on Cross Site Request forgery, saying that only a solution internal-to-the-server can break the technique, and only if
it's so pervasive that the attack itself becomes worthless.

Sorry I'm asking you to forward, but this matters!

I use news.gmane.org for viewing/posting to comp.lang.ruby.rails. No
need for a google account.

cheers,
mick

 

[Paul Stickney]

Article on Cross Site Request forgery, saying that only a solution internal-to-the-server can break the technique, and only if

it's so pervasive that the attack itself becomes worthless.

I haven't been keeping up on RoR, but different frameworks such as
Seaside (Smalltalk) and Lift/Liftweb (Scala) avoid the issue by using
mapped tokens. RoR might have extensions/plugins that offer the same
functionality. I am unfamiliar how TG, Wicket or other [Ruby] web
frameworks avoid/handle the problem. In a sense, this is just an
extension of the "destructive GET requests" that RoR worked to remove
~1.2 (IIRC).

That being said, wrong ML