CSRF in Gemini

Jason McBrayer jmcbray at carcosa.net
Tue Jun 16 16:12:22 BST 2020

Previous message (by thread): CSRF in Gemini
Next message (by thread): CSRF in Gemini
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Francesco Gazzetta <fgaz at fgaz.me> writes:

>> CSRF protection via non-native nonces is ugly, can we do better than
>> the web?

My swimming-against the current proposal: all Gemini requests must be
idempotent. The easy way to make a request idempotent is to make it have
no side-effects.

Yes, this effectively limits Gemini to a document-delivery protocol, and
strictly constrains what apps could be built on top of it. That may not
be a bad thing.

-- 
+-----------------------------------------------------------+  
| Jason F. McBrayer                    jmcbray at carcosa.net  |  
| If someone conquers a thousand times a thousand others in |  
| battle, and someone else conquers himself, the latter one |  
| is the greatest of all conquerors.  --- The Dhammapada    |

Previous message (by thread): CSRF in Gemini
Next message (by thread): CSRF in Gemini
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Gemini mailing list