 |
RE: MemeStreams click-throughs appearing on YouTube |
|
| RE: MemeStreams click-throughs appearing on YouTube by Acidus at 9:01 am EDT, Mar 13, 2007 | |||
As for the Deleting problem this is simply XSRF rearing its head again and actually you can fix it fairly easily: Always always always have a landing page! Right off the bat, I should never be able visit a single URL and the result of me visiting that URL is that a meme gets deleted. 1- This violates RFC 2616 about HTTP's "safe" methods GET and HEAD vs. a POST. Every "delete this meme" link on should take you to a page that says "are you sure?" On that "are you sure" page, the server should place a random, time limited token in a hidden HTML field. The "yes, delete this" should be a button that causes a HTTP POST back to Memestreams with the oid of the meme and the random token. Only if the supplied token matches what the server pushed down should the meme deleted. I can think of two special cases where an "Are you sure" landing page isn't practical for deleting meme on Memestreams: 1- Multiple select memes in the Memebox summary page to delete. The "delete" button already makes a POST, so you are safe there. Every time the summary page is generated a random token should a hidden HTML field should be downloaded. If you really want to be paranoid you can store on the server in your Sessions collection what oid's can be deleted with a token for that user. That way a single token for generated from a Memebox summary page cannot be used to delete memes that weren't shown on that summary page. Regardless, you can fix this. 2-When viewing a single meme. Again, same as before. Make "delete this meme" a button and style it to look nice. Send down a token whenever someone looks at an individual meme. | |||
| Thread [4] - Reply | |||
