On 09/08/10 12:43, Mike.lifeguard wrote:
On 10-08-08 04:02 PM, John Doe wrote:
How about requiring a password/code to go along with rev_id in order to use the tool (similar to the move to commons process?
Delta
Yes, I suppose that's possible. Can we use Basic or Digest auth to protect parts of our web space? I suppose the tool itself could do authentication, I'd have to learn how...
*.toolserver.org is most likely full of XSS vulnerabilities. It doesn't matter what sort of authentication you use, it's pointless if anyone can run arbitrary client-side scripts on it via XSS. I don't think any private data should be delivered on this domain at all. And I don't think authenticated write operations should be there either.
-- Tim Starling