<p dir="ltr"></p>
<p dir="ltr">On Thu, Apr 14, 2016 at 3:17 PM, Søren Løvborg <<a href="mailto:sorenl@unity3d.com">sorenl@unity3d.com</a>> wrote:<br>
</p>
<blockquote><p dir="ltr">><br>
</p>
</blockquote>
<p dir="ltr">> Sorry, this is going to get long. :-)<br>
><br>
> Thomas De Schampheleire wrote:<br>
> > So this means updating Kallithea. Do you happen to be interested and<br>
> > available for such change?<br>
><br>
> Yes. I am currently looking into the Kallithea code to see how this<br>
> would work. There is definitely room for improvement. I'll get back to<br>
> you (and the list) when I have something more concrete.<br>
><br>
> Next, I wrote:<br>
> >>> (Aside: I did not look at the tgext.routes code, but I assume the<br>
> >>> override support is opt-in? Enabling it automatically for all applications<br>
> >>> could cause security issues for applications that don't have CSRF<br>
> >>> protection.)<br>
><br>
> Alessandro Molina replied:<br>
> > Nope, there is no opt-in.<br>
> > There isn't in routes itself too:<br>
> ><a href="https://github.com/bbangert/routes/blob/master/routes/middleware.py#L61-L70"> https://github.com/bbangert/routes/blob/master/routes/middleware.py#L61-L70</a><br>
> ><br>
> > Also even though you would opt-out you can still perform CSRF in any case by<br>
> > using an XMLHTTPRequest or a form.<br>
><br>
> Well, in Routes, it's an opt-out, but the option is there (the<br>
> use_method_override argument). I think it's a mistake to enable by<br>
> default.<br>
><br>
> Messing around with the HTTP request like this is definitely not<br>
> something you should do in a library, unless the application<br>
> explicitly asks for it, and even then only under certain limited<br>
> circumstances. This is why:<br>
></p>
<p dir="ltr">I'm sorry if my reply made you fervent about the topic, I quickly discarded the discussion about opt-in/out just because I found it pretty useless in this context. As it doesn't guarantee you are safe from cross site attacks and kallithea needed that feature on in any case (it was actually added for kallithea itself).</p>
<p dir="ltr">I was more interested on the concern of updating the environ key or not, which for consinstency I would do, but it's open to interpretation.</p>
<p dir="ltr">I know that by RFC you should theoretically stick to some behaviours, but in practice they are not enforced and the standard itself states it might be considered a feature being able to override them. I mean while it's wrong and will hit you back for many reasons caching included... the world is full of apps that change things on GET requests... </p>
<p dir="ltr">I'll gladly add an option to opt in in tgext.routes if that makes you feel more comfortable it won't change much for me as there are no other apps apart from Kallithea that replace the whole routing stack in tg with tgext.routes and it was made for kallitha so no one will complain ;)</p>