summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJoey Hess <joey@gnu.kitenet.net>2009-02-03 13:51:10 -0500
committerJoey Hess <joey@gnu.kitenet.net>2009-02-03 13:51:10 -0500
commit1b3dbe0b91d7646096229fb531a3527df3b3587a (patch)
treea0ddcd56e83fc7792107e38872d2bee93e87ac14
parentbc3fb1ceabf7f2139ce42e782e3f9d96e33dce0f (diff)
not so fast
-rw-r--r--doc/todo/comments.mdwn9
1 files changed, 9 insertions, 0 deletions
diff --git a/doc/todo/comments.mdwn b/doc/todo/comments.mdwn
index 8da640f26..7a113bee3 100644
--- a/doc/todo/comments.mdwn
+++ b/doc/todo/comments.mdwn
@@ -17,6 +17,15 @@
a single button-press, without being vulnerable to cross-site request forgery.
So I'll put this in as wontfix. --[[smcv]]
+ > Surely there's a way around that?
+ > A web 2.0 way comes to mind: The user clicks on a link
+ > to open the comment post form. While the nasty web 2.0 javascript :)
+ > is manipulating the page to add the form to it, it looks at the cookie
+ > and uses that to insert a sid field.
+ >
+ > Or, it could have a mandatory preview page and do the CSRF check then.
+ > --[[Joey]]
+
* It would be useful to have a pagespec that always matches all comments on
pages matching a glob. Something like `comment(blog/*)`.
Perhaps postcomment could also be folded into this? Then the pagespec