[mythtv-users] visit from googlebot

Peter Watkins peterw at tux.org
Tue Oct 3 13:05:29 UTC 2006

On Mon, Oct 02, 2006 at 01:36:43PM -0400, Michael T. Dean wrote:

> The reason why I feel the Recorded Programs page is a good case for 
> ignoring the recommendation is because there is only one way to do a 
> POST request from HTML--with an HTML form.  Imagine having 176 (my 
> current number of recordings) forms and/or buttons on that page.  And, 
> while it's possible to use JavaScript to submit a POST request in 
> response to clicking a link, there are many browsers that don't support 
> JavaScriptk, and I'm pretty certain Chris is trying to ensure that at 
> least one theme doesn't require JavaScript.

I don't think many folks care how many <form> elements are in the HTML.
As for buttons, one could use <script>/<noscript> to display "submit"
controls as pretty hyperlinks in JS-compatible clients and as old-school
buttons (or image submit controls) in JS-incompatible browsers.

> So, the best thing to do is keep the Google bot off your website.  After 

No doubt.

I haven't assessed it myself, but I think someone should take a look at MythWeb
from the standpoint of Cross-Site Request Forgery. Even with authentication,
a CSRF vulnerability could leave your recordings vulnerble to unintentional
deletion while browsing the web. The attacker would need to know your MythWeb
URL (which is leaked in Referer headers to IMDB, etc. due to non-anonymizing
outbound hyperlinks) and I expect would need to guess a recording name -- but
since multiple CSRF attacks can be embedded in a single HTML document, that's
not too reassuring. 


More information about the mythtv-users mailing list