Florent Guillaume wrote:
Oliver Bleutgen <myzope@gmx.net> wrote:
The issue of client side trojan recently came to my mind again. [..] I think zope's management methods (the potentially destructive ones) should not accept REQUESTs with REQUEST_METHOD "GET".
I like the idea of trying to secure that kind of things a lot.
Unfortunately, considering how trivial it is for Javascript code to do a POST programmatically, I don't see how that proposal would actually help.
Although I repeat myself, implementing this proposal would give me a lot of options to prevent myself from this kind of attack, completely or partially. - In Internet Explorer I can disable javascript. (problem solved) - In Internet Explorer I use the zone restrictions (prevents attacks from untrusted servers) - I can do the same in mozilla - additionally, in mozilla I can just disable form submitting in javascript, with something like (this is surely wrong) user_pref("capability.policy.default.HTMLFormElement.submit", "noAccess"); Put this your prefs.js file and you are done. Really, it _would_ help. cheers, oliver