[Tickets #5307] Re: Upgrade Prototype to 1.5.1_rc3 and make use of CSRF protection
bugs at bugs.horde.org
bugs at bugs.horde.org
Thu May 3 03:54:41 UTC 2007
DO NOT REPLY TO THIS MESSAGE. THIS EMAIL ADDRESS IS NOT MONITORED.
Ticket URL: http://bugs.horde.org/ticket/?id=5307
-----------------------------------------------------------------------
Ticket | 5307
Updated By | Chuck Hagenbuch <chuck at horde.org>
Summary | Upgrade Prototype to 1.5.1_rc3 and make use of CSRF protection
Queue | Horde Base
Version | HEAD
Type | Enhancement
State | Feedback
Priority | 2. Medium
Owners |
-----------------------------------------------------------------------
Chuck Hagenbuch <chuck at horde.org> (2007-05-02 20:54) wrote:
The issue isn't actually whether or not we trust the output of our scripts;
it's that without the security header, a malicious site can load the
javascript we output without the user knowing (provided that they're
logged in to Horde).
gollem.js.php doesn't contain anything that I could imagine being useful,
but since it can be requested directly, it's the sort of thing that should
probably be protected.
For things like Horde_Tree we're probably okay unless we make the data
available with a text/javascript (or */*) content-type.
More information about the bugs
mailing list