[wp-hackers] Forum Help

[Matthew Mullenweg]

Matthew Thomas wrote:
> And it doesn't 
> protect people using GWA (though I see you have a patch for that), or 
> people using another prefetching accelerator.

The MOZ prefetch header seems to be a convention, which is why Google 
adopted it. Accelerators have been around a while, none have been as 
brain-dead as Google's "beta" as far as I know.

> And it doesn't let you 
> have Referers turned off a la RFC 2616 section 15.1.3 (but you knew that 
> already).

There are always tradeoffs in a secure system.

> And it makes extra work for anyone who renames the wp-admin/ 
> directory to deter attackers.

Renaming wp-admin wouldn't deter attackers, is not support in any way in 
the program (maybe we could add some options for it :-p), and is "snake 
oil" security, which we don't endorse or encourage.

> Using POST buttons where appropriate, 
> instead of links, would fix all those problems, but I guess there's some 
> good reason for not using them.

Finally! Thanks for understanding that the real world may appear simple 
from the heights of the ivory tower but actually there's usually a good 
reason for everything in a mature system even if it's not immediately 
apparent.

Google, for all their strengths, was idiotic for releasing a product 
that breaks the way millions of web applications, including some of 
their own, work. Note that no one from Google came out citing RFCs as 
the reason their product is wreaking havok across the web, because they 
realize more than anyone else that GWA is broken, which is *why they 
took it down it after just a few days*. I find it funny that so many 
people are rushing to their defense -- they're a big company and can 
defend themselves.

-- 
Matt Mullenweg
  http://photomatt.net | http://wordpress.org
http://pingomatic.com | http://cnet.com