chemistry-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Florent Guillaume <fguilla...@nuxeo.com>
Subject CSRF check on content GET
Date Fri, 28 Sep 2018 13:33:41 GMT
Hi Florian,

Could you explain the reasoning behind the fact that CsrfManager#check
verifies the token in the request parameter if this is a GET content
request?

I don't see the point in doing any CSRF check for a GET... In other words,
I don't see an attack model that would make this necessary.

Thanks,
Florent

-- 
[image: Nuxeo Logo] <https://www.nuxeo.com/>

Florent Guillaume  Head of R&D  [image: LinkedIn]
<https://www.linkedin.com/in/fguillaume/> [image: Twitter]
<https://twitter.com/efge> [image: Github] <https://github.com/efge>

Nuxeo Content Services Platform. Stay ahead.

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message