chemistry-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Florent Guillaume <>
Subject CSRF check on content GET
Date Fri, 28 Sep 2018 13:33:41 GMT
Hi Florian,

Could you explain the reasoning behind the fact that CsrfManager#check
verifies the token in the request parameter if this is a GET content

I don't see the point in doing any CSRF check for a GET... In other words,
I don't see an attack model that would make this necessary.


[image: Nuxeo Logo] <>

Florent Guillaume  Head of R&D  [image: LinkedIn]
<> [image: Twitter]
<> [image: Github] <>

Nuxeo Content Services Platform. Stay ahead.

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message