#3796: remove _csrf_token from display URLs
--------------------------+-----------------------------
Reporter: till | Owner: webmaster
Type: enhancement | Status: new
Priority: major | Milestone: HANDWAVY-FUTURE
Component: Web Content | Version:
Severity: Normal | Keywords:
Blocked By: | Blocking:
Sensitive: 0 |
--------------------------+-----------------------------
= problem =
Several web-apps use a URL paramenter called _csrf_token to prevent CSRF
attacks. This token is shown in the URL location bar in browsers and makes
URLs ugly and might lead to people exposing their CSRF token in e-mails.
= analysis =
HTML5 allows to manipulate the contents of the URL location bar.
= enhancement recommendation =
Deploy JavaScript like
{{{
new_url = window.location.href.replace(/_csrf_token=[0-9a-f]{40}/,
"").replace(/(\?|&)$/, "");
history.replaceState({}, document.title, new_url);
}}}
to remove the CSRF token from URLs shown in Browsers.
This code might be adjusted to work in all browsers, but it works at least
in Firefox. Maybe a JavaScript expert can take a look. The only
disadvantage of this method is that going back in the history will reload
a page that requires to reload re-verify. But this might be solved by
storing the CSRF token in the history state. Also it does not seem to
cause really trouble.
--
Ticket URL: <https://fedorahosted.org/fedora-infrastructure/ticket/3796>
Fedora Infrastructure <http://fedoraproject.org/wiki/Infrastructure>
Fedora Infrastructure Project for Bugs, feature requests and access to our source code.
#235: Prepare webpages for F20 Beta release
-----------------------+-----------------------
Reporter: robyduck | Owner: webmaster
Type: task | Status: new
Priority: critical | Milestone: ASAP
Component: General | Keywords:
Blocked By: | Blocking:
-----------------------+-----------------------
Beta branch has been created, banner added and state globalvar set.
Beta release process can be seen at \\
http://infrastructure.fedoraproject.org/infra/docs/fedorawebsites.txt
Still have to start working really on it:
* add countdown banners
* modify release counter
* add checksums
* Desktop Spins now are under the live/ dir
* check all the DL links and docs
* check Cloud script for beta AMI IDs and add the IDs
* ARM: verify shipped beta images
Should be all going smooth this time, most of the scripting work has been
done already for Alpha release (thx shaiton).
--
Ticket URL: <https://fedorahosted.org/fedora-websites/ticket/235>
fedora-websites <https://fedoraproject.org/wiki/Websites>
Fedora Website Team's Trac instance
#236: make prominent verify checksums under the DL splashscreen
--------------------------+-----------------------
Reporter: shaiton | Owner: webmaster
Type: enhancement | Status: new
Priority: major | Milestone: Fedora 20
Component: General | Keywords: checksum
Blocked By: | Blocking:
--------------------------+-----------------------
We now have *a lot* of checksums at the verify page.
I can think of 2 solutions:
- directly link the right checksum on the splashscreen (how to parse it
correctly?)
- link to the verify page passing through the DL target in order to
highlight the right case on the verify table
Solution #2 might be the easiest.
--
Ticket URL: <https://fedorahosted.org/fedora-websites/ticket/236>
fedora-websites <https://fedoraproject.org/wiki/Websites>
Fedora Website Team's Trac instance
#222: rfe: make amazon ec2 click-to-launch link a local redirect so we can see
how many times it's clicked
--------------------------+-----------------------
Reporter: mattdm | Owner: webmaster
Type: enhancement | Status: new
Priority: minor | Milestone:
Component: get.fp.o | Keywords:
Blocked By: | Blocking:
--------------------------+-----------------------
I kind of said it all in the subject there. :) The EC2 link is currently
directly to amazon. It would be nice to get a basic idea of how often it's
actually used, which we can't currently.
--
Ticket URL: <https://fedorahosted.org/fedora-websites/ticket/222>
fedora-websites <https://fedoraproject.org/wiki/Websites>
Fedora Website Team's Trac instance
Hello my name is Nick aka wintermute I was wondering if I would be allow to
join your group if possible. I have some web experience in PHP,HTML and CSS
if there are other skills required I can definitely learn them and apply to
the team.
Hi,
I noticed a typo on you page: http://fedoraproject.org/wiki/FirewallD
In the part about Masquerading, it says: "The addresses of a private network a mapped to and hidden behind a public IP address."I believe it should say:"The addresses of a private network are mapped to and hidden behind a public IP address."
Just thought I'd let you know.
T. Curchod.
One of the top tutorials shown on http://fedoraproject.org/en/using/ --
the one here: http://fedoraproject.org/en/using/tutorials/launcher.html
does not work on the standard install of Fedora 19. I believe the tutorial
is outdated.
It says that I should:
1. Right-click on an empty area of your desktop.
2. Click on the *Create Launcher* item in the desktop right-click menu.
But right-clicking on the desktop, I only have options of "Settings" or
"Change Background"