diff options
| -rw-r--r-- | doc/todo/comments.mdwn | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/doc/todo/comments.mdwn b/doc/todo/comments.mdwn index 8da640f26..7a113bee3 100644 --- a/doc/todo/comments.mdwn +++ b/doc/todo/comments.mdwn @@ -17,6 +17,15 @@ a single button-press, without being vulnerable to cross-site request forgery. So I'll put this in as wontfix. --[[smcv]] + > Surely there's a way around that? + > A web 2.0 way comes to mind: The user clicks on a link + > to open the comment post form. While the nasty web 2.0 javascript :) + > is manipulating the page to add the form to it, it looks at the cookie + > and uses that to insert a sid field. + > + > Or, it could have a mandatory preview page and do the CSRF check then. + > --[[Joey]] + * It would be useful to have a pagespec that always matches all comments on pages matching a glob. Something like `comment(blog/*)`. Perhaps postcomment could also be folded into this? Then the pagespec |