22:49 <maurer> In URLs, is the url implicitly "secret"?

22:49 <maurer> err, in grain URLs rather

22:49 <maurer> I'm wondering whether or not you get CSRF protection "for free" in https'd, non-proxy'd sandstorm

22:50 <maurer> (basically I'm wondering whether the grain ID is a capability identifier, and so there is a different one for each privilege level, or if it is just a site identifier, and so any user on the site would have the grain id)

22:52 <dwrensha> the grain ID is not a secret, and is the same for every user

22:53 <dwrensha> each session gets a different host

22:54 <dwrensha> e.g. https://cfe82034d237f33e757241fbf4b7a3d3.oasis.sandstorm.io

22:54 <maurer> Hm.

22:55 <maurer> I guess the separate host _should_ make the form urls secret?

22:55 <maurer> basically I'm trying to figure out if there's a way to use the fact that sandstorm is capability oriented to dodge csrf reqs

22:56 <dwrensha> if someone can eavesdrop on your DNS requests, you still might be in trouble

22:57 <dwrensha> https://docs.sandstorm.io/en/latest/using/security-practices/#client-sandboxing

23:12 <maurer> Hm, that's true

23:12 <maurer> And DNS is not generally secured

23:12 <maurer> a shame it couldn't be in the url somewhere instead :/

23:12 <maurer> (or maybe a separate secret in the URL)

23:13 <maurer> dwrensha: Would that work? e.g. if it was https://cfe82034d237f33e757241fbf4b7a3d3.oasis.sandstorm.io/abcdef1234567890/

23:14 <maurer> that seems like it'd provide significant additional XSRF mitigation in the event that SSL was available

23:14 <maurer> (the url thing there just being another separate, similarly lengthed session token)