On Wed, Jun 17, 2020 at 10:02:21AM +0000, solderpunk wrote: > In general, requiring all non-idempotent requests to use a query and > recommending clients to strip (or ask for confirmation of) queries found > in links and redirects, might be enough to solve the worst of the > problem. Of course, it only takes *one* popular client not bothering to do this to make all apps relying on it vulnerable, so really robust ones are probably going to have to faff about with nonces anyway. Cheers, Solderpunk
---
Previous in thread (3 of 8): 🗣️ solderpunk (solderpunk (a) SDF.ORG)
Next in thread (5 of 8): 🗣️ Jason McBrayer (jmcbray (a) carcosa.net)