[wp-hackers] Security at Wordpress
Owen Winkler
ringmaster at midnightcircus.com
Mon Apr 24 18:55:35 GMT 2006
David House wrote:
> And thus, anyone that says switching to POST is a magic bullet needs
> to rethink their views. Switching is _not_ a less complex solution, as
> it would have to be introduced on top of nonces anyway.
Thank you for helping me say this more succinctly.
> However, I am a standards-are-good kind of guy and I would like to see
> a solution where we use POST wherever possible, with GET only as a
> fallback. Andrew K showed us that the UI hit is somewhat negligible
> (although a proper cross-browser solution is a prerequisite), so you
> have my +1 here. Basically, I don't see any advantage or disadvantage
> of either POST or GET.
If someone can offer a patch that switches actions to POST I would be
happy to see it, provided:
1) It doesn't affect the ability to moderate comments via GET links in
email notifications.
2) It maintains internally consistent UI throughout WordPress.
The sample page Andrew provided is not bad, but there are still some
issues with consistency in Safari. I don't know that there is a
workaround. The ones suggested previously didn't work for me; maybe I
missed one.
Owen
More information about the wp-hackers
mailing list