fw at deneb.enyo.de
Mon Feb 15 20:44:07 UTC 2010
Tags: upstream important
You cannot use a RESTful interface from a browser because it is open
to CSRF attacks. Using an HttpOnly cookie is not sufficient because
some of our browsers do not support HttpOnly.
attachment back to the browser for execution, offering yet another
attack vector which also affects browsers with HttpOnly support.
This has already been reported upstream, not realizing that we've
shipped it in lenny (with no response from upstream so far):
But lenny is exposed in a rather different way; it does not seem to
offer any authentication at all.
More information about the Pkg-erlang-devel