Currently we are sending the Class and Method of the code to execute as plaintext in the reuqests. This is relatively insecure, as it exposes these to the user and a determined user could eventually find ways to poke around and abuse things. Since we're talking about a site with public areas, this should be of real concern.
In order to combat this, I propose encrypting all Class and Method strings before they hit the browser. We should able to do almost all of this in the XSL. For now, I mocked up using basic base64 encoding (which isn't secure but good for proof of concept) in javascript. So before the request goes to the server it encodes them. If we want to explore this further I'd move the encoding to the XSL and use a private-key encryption for the encoding.
I agree. Let's do it - as long as it doesn't cause leaks or slowness... how will this effect debugging? I am on board let's discuss at the 5/9 meeting.
Currently we are sending the Class and Method of the code to execute as plaintext in the reuqests. This is relatively insecure, as it exposes these to the user and a determined user could eventually find ways to poke around and abuse things. Since we're talking about a site with public areas, this should be of real concern.
In order to combat this, I propose encrypting all Class and Method strings before they hit the browser. We should able to do almost all of this in the XSL. For now, I mocked up using basic base64 encoding (which isn't secure but good for proof of concept) in javascript. So before the request goes to the server it encodes them. If we want to explore this further I'd move the encoding to the XSL and use a private-key encryption for the encoding.
See commit f090714
Thoughts?