[tahoe-dev] web "control panel", static server selection UI
chris at noncombatant.org
Tue Jan 25 03:43:29 UTC 2011
To avoid the $SECRET-in-URL leaking problem, put $SECRET in a hidden form
field that is sent to the server in POST requests to update the
configuration, rather than in a leakable URL. (Secrets don't belong in
names, no matter how much you want them to.)
Then you'd have a solution identical to the standard CSRF solution for
non-cap web apps. It is proven to work well.
Of course, making $SECRET short-lived is still a good idea.
More information about the tahoe-dev