You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@shindig.apache.org by "Chris Chabot (JIRA)" <ji...@apache.org> on 2008/10/09 09:16:44 UTC

[jira] Commented: (SHINDIG-606) Move security token to header for XMLHttpRequests?

    [ https://issues.apache.org/jira/browse/SHINDIG-606?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12638210#action_12638210 ] 

Chris Chabot commented on SHINDIG-606:
--------------------------------------

for one, it would make the url a lot more readable ... but would it have any influence on the browsers caching behavior in a negative way (ie, make it cache when it shouldn't)?

if that's not the case, i'm +1 on the proposal

> Move security token to header for XMLHttpRequests?
> --------------------------------------------------
>
>                 Key: SHINDIG-606
>                 URL: https://issues.apache.org/jira/browse/SHINDIG-606
>             Project: Shindig
>          Issue Type: Improvement
>          Components: Common Components (Java), Common Components (PHP)
>            Reporter: Evan Gilbert
>            Assignee: Evan Gilbert
>
> It seems slightly more secure if the security token were put into an HTTP header instead of in the URL when making requests back to the server from gadgets. This way the token is not normally logged by proxies, etc.
> We'd still probably support the URL parameter for debugging purposes.
> I'm not a security expert, possibly others with more experience can weigh in on how important this is.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.