[wp-trac] Re: [WordPress Trac] #4529: Modal "Are You Sure?" dialogs
should be replaced with "Undo" functionality.
WordPress Trac
wp-trac at lists.automattic.com
Mon Jun 25 20:57:30 GMT 2007
#4529: Modal "Are You Sure?" dialogs should be replaced with "Undo" functionality.
----------------------------+-----------------------------------------------
Reporter: markjaquith | Owner: anonymous
Type: task | Status: new
Priority: normal | Milestone: 2.4 (future)
Component: Administration | Version: 2.3
Severity: normal | Resolution:
Keywords: |
----------------------------+-----------------------------------------------
Comment (by markjaquith):
You're confusing the CSRF-preventing HTML form AYS screens (which have to
stay) with modal JS AYS dialogs (which are JS popup windows that you have
to deal with before you can do anything else in your browser window). The
modal JS windows are to prevent accidental actions because of errant mouse
clicks, not to prevent CSRF. They are layered on top of the CSRF
protection (that is, they ask you if you're sure, and then go to the
nonce'd URL, which, with an incorrect nonce, would trigger the CSRF AYS
HTML form).
Bottom line: no, this won't make WordPress any less secure from CSRF
attacks.
--
Ticket URL: <http://trac.wordpress.org/ticket/4529#comment:2>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list