undefined | Better HN

0 pointsadrianmsmith6y ago0 comments

I think making the mistake of "unscoped find" that "atom_enger" was referring to is just as easy a mistake to make when writing a REST backend (to support a SPA front-end framework) as when using a traditional non-SPA web framework.

It's tempting, when writing a REST backend, to respond to e.g. "PUT /message/:id" by just executing "UPDATE ... WHERE message_id=?" from the parameter, without checking that that message belonged to the user whose credentials have been used to access the call.

That's possible with a non-SPA web framework, and it's also possible when writing REST backends.

0 comments

tptacek6y ago

Authz bugs are the most common bugs in every application, and no framework has a particular edge on stamping them out. I'm just responding to the claim about Rails having a security edge due to XSS protection, which it does not; in fact, it's become somewhat the opposite.

j / k navigate · click thread line to collapse

0 pointsadrianmsmith6y ago0 comments

That's possible with a non-SPA web framework, and it's also possible when writing REST backends.

0 comments

tptacek6y ago

j / k navigate · click thread line to collapse