[tahoe-dev] web "control panel"

Chris Palmer chris at noncombatant.org
Tue Jan 25 21:08:05 UTC 2011

Brian Warner writes:

> Any idea how to make that work with a python "webbrowser.open(URL)" call?
> [...] Maybe use a one-time secret URL which emits a page with the
> multiple-use CSRF tokens and then self-destructs?

Sure, like password-reset links sent in email. I'm not entirely sure this
approach would work for this purpose, however.

> Also, how does the "standard solution" deal with GETs?

You can put the secret parameter in the URL query string, thus defeating the

More to the point, GETs are supposed to be idempotent and safe. Updating
your server's configuration does not fall into that category. Use only POSTs
for changes in state, just like the HTTP spec says.

Hilariously, the Ruby community found this out the hard way when Google Web
Accelerator (a cacheing proxy just like any other) prefetched links in Rails
apps like Delete Item and Buy Now and Blow Up Everything. (Note that
browsers also prefetch now, too.)

> It seems to me that this technique means all your regular href= links to
> similarly protected resources have to be expressed with POST forms and
> buttons, which would be kinda unfortunate.

If you crave the visual style of text links, you can always give them
JavaScript event handlers:

<a onclick="deleteAccount()">Delete Account</a>

No href for GWA or whatever to follow.


More information about the tahoe-dev mailing list