💾 Archived View for rawtext.club › ~sloum › geminilist › 001725.gmi captured on 2020-10-31 at 02:28:46. Gemini links have been rewritten to link to archived content
⬅️ Previous capture (2020-09-24)
-=-=-=-=-=-=-
Sean Conner sean at conman.org
Tue Jun 16 02:28:08 BST 2020
- - - - - - - - - - - - - - - - - - -
It was thus said that the Great Francesco Gazzetta once stated:
Hi all,
I just wrote down a few thoughts about cross-site request forgery in
Gemini:
gemini://gemini.circumlunar.space/~/fgaz/posts/2020-06-15-csrf-in-gemini/
I read the article and I don't think this is that much of an issue withGemini. It lacks javascript. It lacks cookies. It serverely limits thedata that can be posted. Authentication is done via certificates. Aboutthe only valid issue is the SPAM issue you brought up, but I think it *is*possible to detect since the server will have the IP address of thesender---repeated requests could be blocked by blocking the IP address.
Another issue with the nonce (other than how to send it back) is that amalicious bot can just make a request that returns the nonce and use it,like like a Gemini client with a human driver will do.
It's an issue, but less of one than on the web.
-spc