Re: [GSoC] Development of Cuirass. - pelzflorian (Florian Pelz)

all messages for Guix-related lists mirrored at yhetil.org
 help / color / mirror / code / Atom feed

From: "pelzflorian (Florian Pelz)" <pelzflorian@pelzflorian.de>
To: guix-devel@gnu.org
Subject: Re: [GSoC] Development of Cuirass.
Date: Sun, 12 Mar 2017 16:18:34 +0100	[thread overview]
Message-ID: <814f70f0-569c-51c8-592d-16b1ea4c8e70@pelzflorian.de> (raw)
In-Reply-To: <87tw6yim7o.fsf@gnu.org>

Hello,

On 03/12/2017 03:49 PM, Mathieu Lirzin wrote:
> Sensitive requests should be done with an
>   authentification mechanism which is not determined yet.  I currently
>   have no experience with any and lack the knowledge to properly choose
>   one.

I’m new to Guix and Scheme and no expert in Web programming, but in
order to prevent CSRF and in order not to rely on JavaScript, the server
should run with HTTPS (of course) and
· use a secret session token and
· send a customized Web page to the client adapted so that each link and
form to the server includes the session token as a GET or POST parameter.

An alternative is Basic Access Authentication with HTTPS or Cookies with
HTTPS but they are vulnerable to CSRF.

See stackoverflow, for example

https://stackoverflow.com/questions/21357182/csrf-token-necessary-when-using-stateless-sessionless-authentication

Maybe others don’t take such a strong stance against JavaScript and
prefer another method, but I believe JavaScript does not belong in the Web.

Regards,
Florian

next prev parent reply	other threads:[~2017-03-12 15:18 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-03-12 14:49 [GSoC] Development of Cuirass Mathieu Lirzin
2017-03-12 15:18 ` pelzflorian (Florian Pelz) [this message]
2017-03-12 18:41   ` Mathieu Lirzin
2017-03-12 23:45     ` pelzflorian (Florian Pelz)
2017-03-20 22:05       ` Mathieu Lirzin
2017-03-13  8:49 ` Ludovic Courtès
2017-03-20 22:43   ` Mathieu Lirzin
2017-03-13 10:32 ` Andy Wingo
2017-03-20 22:47   ` Mathieu Lirzin
2017-03-13 19:17 ` Efraim Flashner
2017-03-21 14:31 ` Mathieu Lirzin
2017-03-21 14:40   ` Ludovic Courtès
2017-03-21 16:54   ` Jan Nieuwenhuizen
2017-03-21 17:25   ` Tobias Geerinckx-Rice
2017-03-21 18:55   ` Leo Famulari
2017-03-22 16:11   ` Ricardo Wurmus

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=814f70f0-569c-51c8-592d-16b1ea4c8e70@pelzflorian.de \
    --to=pelzflorian@pelzflorian.de \
    --cc=guix-devel@gnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

Code repositories for project(s) associated with this external index

	https://git.savannah.gnu.org/cgit/guix.git

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.