diff options
author | Joey Hess <joey@gnu.kitenet.net> | 2009-02-03 13:51:10 -0500 |
---|---|---|
committer | Joey Hess <joey@gnu.kitenet.net> | 2009-02-03 13:51:10 -0500 |
commit | 1b3dbe0b91d7646096229fb531a3527df3b3587a (patch) | |
tree | a0ddcd56e83fc7792107e38872d2bee93e87ac14 | |
parent | bc3fb1ceabf7f2139ce42e782e3f9d96e33dce0f (diff) |
not so fast
-rw-r--r-- | doc/todo/comments.mdwn | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/doc/todo/comments.mdwn b/doc/todo/comments.mdwn index 8da640f26..7a113bee3 100644 --- a/doc/todo/comments.mdwn +++ b/doc/todo/comments.mdwn @@ -17,6 +17,15 @@ a single button-press, without being vulnerable to cross-site request forgery. So I'll put this in as wontfix. --[[smcv]] + > Surely there's a way around that? + > A web 2.0 way comes to mind: The user clicks on a link + > to open the comment post form. While the nasty web 2.0 javascript :) + > is manipulating the page to add the form to it, it looks at the cookie + > and uses that to insert a sid field. + > + > Or, it could have a mandatory preview page and do the CSRF check then. + > --[[Joey]] + * It would be useful to have a pagespec that always matches all comments on pages matching a glob. Something like `comment(blog/*)`. Perhaps postcomment could also be folded into this? Then the pagespec |