chemistry-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Florian Müller <f...@apache.org>
Subject Re: CSRF check on content GET
Date Fri, 28 Sep 2018 15:47:11 GMT
Hi Florent,

I have to admit that I can't recall right know why there is a CSRF 
check.
But the fact that I spent the effort implementing it, makes me believe 
that there was a good enough reason.

I'll keep thinking about it...


- Florian



> Hi Florian,
> 
> Could you explain the reasoning behind the fact that CsrfManager#check
> verifies the token in the request parameter if this is a GET content
> request?
> 
> I don't see the point in doing any CSRF check for a GET... In other 
> words,
> I don't see an attack model that would make this necessary.
> 
> Thanks,
> Florent

Mime
View raw message