JSON-RPC GET User.login security
Gervase Markham
gerv at mozilla.org
Wed Nov 10 16:59:44 UTC 2010
On 10/11/10 00:16, Max Kanat-Alexander wrote:
> Hey there. Right now, we deny calling the "User.login" method when
> using the GET method for JSON-RPC calls. Is there actually any good
> security-based reason to do so?
Assuming User.login requires an explicitly-specified username and
password, I can't see any cross-site issues. And the issues with
usernames and passwords in logs is typical of all JSONP. So no, I can't
immediately see a problem.
Gerv
_______________________________________________
dev-apps-bugzilla mailing list
dev-apps-bugzilla at lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-apps-bugzilla
More information about the developers
mailing list