Forum OpenACS Q&A: Re: RFC: Security policy for OpenACS (Security hole in OpenACS 5.1!)

If we are talking about a perfect solution, converting to POSTs won't cut it either. You can place a button on a site a which transfers data to site b. Sometimes it's a feature (vote here for our site), sometimes it's an exploit.

(Javascript may be another issue here? Can I issue post requests from Javascript?)

I suggest we add Barry's code to the stock release, issue a patch (request-processor-procs.tcl is stable over many versions of OpenACS), and then try to wiggle out a perfect solution.