launchpad-dev team mailing list archive
-
launchpad-dev team
-
Mailing list archive
-
Message #03674
Re: Fwd: [Fwd: Quickly and Launchpad]
On 25 June 2010 21:54, Robert Collins <robert.collins@xxxxxxxxxxxxx> wrote:
> I like the idea of sending emails when important account settings are
> changed: it helps with:
> - cross site attacks
> - apis that permit changing such settings
> - screen scraping via embedded browser instances
>
> and possibly more.
>
> Its also nonintrusive and straightforward, and we could include a
> confirmation token in the email people get sent too, if we felt thats
> needed.
Yes, I think sending email to the old/most trusted address is the best
practice here.
Adding a confirmation click (and I note your "if") does somewhat get
in the way of doing things, well, quickly. I think generally the rule
should be that we require it for API changes when we require it for
changes through the web interface.
--
Martin
References