Better security with POST as opposed to GET default tip
authorAnant Narayanan <anant@kix.in>
Sat, 06 Feb 2010 00:04:58 +0100
changeset 2 87e68dba52efe1c00d548e46e4ebdbaa9045a1aa
parent 1 bd9d015fb34925b9176cb0149df6444664539787
push id3
push useranarayanan@mozilla.com
push dateFri, 05 Feb 2010 23:05:04 +0000
Better security with POST as opposed to GET
workers/javascripts/actions.js
workers/proxy.php
--- a/workers/javascripts/actions.js
+++ b/workers/javascripts/actions.js
@@ -4,17 +4,17 @@
 if ("undefined" == typeof(Weave)) {
   var Weave = {};
 };
 
 var WV_MAX_OBJECTS_PER_REQUEST = 10;
 
 var WV_VERSION = "1.0";
 var WV_USER_SERVER = "https://auth.services.mozilla.com/user/" + WV_VERSION;
-var WV_PROXY_PAGE = "http://localhost/wnew/proxy.php";
+var WV_PROXY_PAGE = "proxy.php";
 
 
 Weave.Actions = {
   /* The array with urls and titles that can be suggested to the user. */
   _suggestions : null,
   
   /* The controller of the suggestions. */
   _autoSuggestControl : null,
@@ -295,17 +295,17 @@ Weave.Actions = {
       stringOfDdata += '=';
       stringOfDdata += aParameters[key];
       stringOfDdata += '&';
     }
     stringOfDdata = stringOfDdata.substr(0, stringOfDdata.length - 1);
 
     $.ajax(
       {
-        url: aURL, method: "GET", data: stringOfDdata,
+        url: aURL, type: "POST", data: stringOfDdata,
         success: aLoadedHandler, error: aErrorHandler
       });
   },
 
   /**
    * Handle error.
    * @param aXHR
    * @param aTextStatus
--- a/workers/proxy.php
+++ b/workers/proxy.php
@@ -1,20 +1,22 @@
 <?php
 header('Content-Type: text/plain');
-$username = $_GET['username'];
-$password = $_GET['password'];
-$url = $_GET['url'];
+
+// we use POST instead of GET because bodies are encrypted in HTTPS
+$username = $_POST['username'];
+$password = $_POST['password'];
+$url = $_POST['url'];
 
 
 // append all other parameters to the url
 $additionalParams = '';
 $separator = '?';
 
-foreach ($_GET as $key => $value) {
+foreach ($_POST as $key => $value) {
   if (($key != 'username') && ($key != 'password') &&
       ($key != 'url')) {
     $additionalParams = $additionalParams . $separator . $key . '=' .$value;
     $separator = '&';
   }
 }
 $url = $url . $additionalParams;