modnaut
commented
11 years ago I agree. Let's do it - as long as it doesn't cause leaks or slowness... how will this effect debugging? I am on board let's discuss at the 5/9 meeting.
Closed dannycohn closed 11 years ago
modnaut
commented
11 years ago I agree. Let's do it - as long as it doesn't cause leaks or slowness... how will this effect debugging? I am on board let's discuss at the 5/9 meeting.
dannycohn
commented
11 years ago Pushed
Currently we are sending the Class and Method of the code to execute as plaintext in the reuqests. This is relatively insecure, as it exposes these to the user and a determined user could eventually find ways to poke around and abuse things. Since we're talking about a site with public areas, this should be of real concern.
In order to combat this, I propose encrypting all Class and Method strings before they hit the browser. We should able to do almost all of this in the XSL. For now, I mocked up using basic base64 encoding (which isn't secure but good for proof of concept) in javascript. So before the request goes to the server it encodes them. If we want to explore this further I'd move the encoding to the XSL and use a private-key encryption for the encoding.
See commit f090714
Thoughts?