[tahoe-dev] web "control panel"

Brian Warner warner at lothar.com
Tue Jan 25 12:33:11 UTC 2011


On 1/24/11 7:43 PM, Chris Palmer wrote:
> To avoid the $SECRET-in-URL leaking problem, put $SECRET in a hidden
> form field that is sent to the server in POST requests to update the
> configuration, rather than in a leakable URL. (Secrets don't belong in
> names, no matter how much you want them to.)
> 
> Then you'd have a solution identical to the standard CSRF solution for
> non-cap web apps. It is proven to work well.
> 
> Of course, making $SECRET short-lived is still a good idea.

Hmm, I like the idea overall, although of course it explicitly disallows
the idea of bookmarking your access to the control panel, but that's
kind of the point.

Any idea how to make that work with a python "webbrowser.open(URL)"
call? I don't think there's any way to construct a URL which embeds the
hidden-form arguments so that you can tell a browser's remote-control
API to pop open a window to the control-panel. Maybe use a one-time
secret URL which emits a page with the multiple-use CSRF tokens and then
self-destructs?

Also, how does the "standard solution" deal with GETs? It seems to me
that this technique means all your regular href= links to similarly
protected resources have to be expressed with POST forms and buttons,
which would be kinda unfortunate.

thanks! This is just the sort of discussion I was hoping for!
 -Brian


More information about the tahoe-dev mailing list