Fixing CSRF exploits in Infrastructure
Till Maas
opensource at till.name
Tue Nov 25 23:53:53 UTC 2008
On Tue November 25 2008, Toshio Kuratomi wrote:
> Till Maas wrote:
> > It is recommended to not use GET requests to change state on the server,
> > therefore it would be probably better to change these GET requests to
> > POST requests.
>
> The proposal doesn't specifically mention POST there as well but it
> should to make things clearer:
>
> "Every time we submit a form or make a GET request that can change state
> on the server"
>
> s/submit/POST/
> /me changes that now.
>
> The reasons the proposal is explicit about GET are:
>
> 1) We'd have to constantly audit code for places where GET is being used
> to alter state and change that. This is doable if the app authors are
> aware of this but not so scalable if it's me going through and making
> those changes.
Now I am confused. Do you want to require the token for every request of an
authenticated user then, regardless of whether or not they can change state
on the server?
Regards,
Till
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 827 bytes
Desc: This is a digitally signed message part.
Url : http://lists.fedoraproject.org/pipermail/infrastructure/attachments/20081126/6be4898e/attachment.bin
More information about the infrastructure
mailing list