Either use or don't use HTTPS
The risk of injection attacks using HTTP is too great to allow a site that allows both HTTP and HTTPS...
This commit is contained in:
Mikael Nordfeldth
@@ -329,29 +329,6 @@ class OpenIDPlugin extends Plugin
|
||||
return parent::onAutoload($cls);
|
||||
}
|
||||
|
||||
/**
|
||||
* Sensitive actions
|
||||
*
|
||||
* These actions should use https when SSL support is 'sometimes'
|
||||
*
|
||||
* @param Action $action Action to form an URL for
|
||||
* @param boolean &$ssl Whether to mark it for SSL
|
||||
*
|
||||
* @return boolean hook return
|
||||
*/
|
||||
function onSensitiveAction($action, &$ssl)
|
||||
{
|
||||
switch ($action)
|
||||
{
|
||||
case 'finishopenidlogin':
|
||||
case 'finishaddopenid':
|
||||
$ssl = true;
|
||||
return false;
|
||||
default:
|
||||
return true;
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Login actions
|
||||
*
|
||||
|
||||
Reference in New Issue
Block a user