From 1b3dbe0b91d7646096229fb531a3527df3b3587a Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Tue, 3 Feb 2009 13:51:10 -0500 Subject: not so fast --- doc/todo/comments.mdwn | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/doc/todo/comments.mdwn b/doc/todo/comments.mdwn index 8da640f26..7a113bee3 100644 --- a/doc/todo/comments.mdwn +++ b/doc/todo/comments.mdwn @@ -17,6 +17,15 @@ a single button-press, without being vulnerable to cross-site request forgery. So I'll put this in as wontfix. --[[smcv]] + > Surely there's a way around that? + > A web 2.0 way comes to mind: The user clicks on a link + > to open the comment post form. While the nasty web 2.0 javascript :) + > is manipulating the page to add the form to it, it looks at the cookie + > and uses that to insert a sid field. + > + > Or, it could have a mandatory preview page and do the CSRF check then. + > --[[Joey]] + * It would be useful to have a pagespec that always matches all comments on pages matching a glob. Something like `comment(blog/*)`. Perhaps postcomment could also be folded into this? Then the pagespec -- cgit v1.2.3