Fixing CSRF exploits in Infrastructure

Till Maas opensource at
Tue Nov 25 22:45:49 UTC 2008

On Tue November 25 2008, Mike McGrath wrote:

> GET vs POST is an interesting discussion.  From a security point of view
> though the only advantage is in how we log and that GET requests stay in
> the logs.

There may be also some other issues, e.g. when GET requests are used to submit 
confidential data, because then they may also be stored in the browsers 
history. But my concern was not about security issues.

> Obviously though an authenticated web crawler could do accidently do some
> serious damage.

It would not be necessarily be serious damage, but the browser's session 
management could show annoying beheaviour, because then some requests could 
be made everytime a user restores are browser session.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 827 bytes
Desc: This is a digitally signed message part.
Url : 

More information about the infrastructure mailing list