2017-06-08, 02:43
(2017-06-08, 01:43)Milhouse Wrote:(2017-06-08, 01:30)kkoa Wrote: Added: [pkg] PR:12265: [webserver] dont allow jsonrpc over http get
I think this change is not good as I sometimes use JSON RPC via the webbrowser for non read-only methods which then won't work anymore.
The problem is that using GET requests to modify data is a security risk as any website open in your browser could silently execute a GET request against a local Kodi web server (assuming it knows the IP address and port). The original discussion started here (see "Security concerns" section). If you have concerns you'd best post a comment in the PR while it's still open.
Yeah, I read the PR. Doubt they would change it just for me even though I have never heard of anybody hijacking Kodi. For extended security one could just set a password for the web interface.
Wouldn't it still be possbile to make a form targetting a frame to hijack Kodi with a post request then?