Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:93139
Return-Path: <smalyshev@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 37945 invoked from network); 10 May 2016 04:45:19 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 10 May 2016 04:45:19 -0000
Authentication-Results: pb1.pair.com header.from=smalyshev@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=smalyshev@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.220.43 as permitted sender)
X-PHP-List-Original-Sender: smalyshev@gmail.com
X-Host-Fingerprint: 209.85.220.43 mail-pa0-f43.google.com  
Received: from [209.85.220.43] ([209.85.220.43:36383] helo=mail-pa0-f43.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id FC/33-11104-E5761375 for <internals@lists.php.net>; Tue, 10 May 2016 00:45:18 -0400
Received: by mail-pa0-f43.google.com with SMTP id bt5so862275pac.3
        for <internals@lists.php.net>; Mon, 09 May 2016 21:45:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=subject:to:references:from:message-id:date:user-agent:mime-version
         :in-reply-to:content-transfer-encoding;
        bh=E6YAh80xWXUpkVBDewrMqxcAGI+F6S0lwuI3Vn/YYCU=;
        b=i4xhbfk6aVjRQkZ8YEGdmd5CPPtHPmDXswS+jhKNRbXVd846BbNp8C/d9+fu44prV6
         nIKZHlIoGwvFhCF4dYee6BiBbRn3io+2ogfW1Hjjf6WeEsq1DVumoGXWCD6S4Li0GoaY
         dcBypEPGwpI4CG2684y35Ohi6w5rC+K+E/73zdbneP3Qr+UKQV05o/gtotfRc4aPiqMe
         CEoSPfAIMuQRddX1zyL24qcKDt2eT5BlLmJ+PRr4i5vhMO1n/PGquehzm+JpkJFIoQyc
         6SLg63osh1SXtalCL9xvY9j0iaXGQEkDW30IH4PRv3EfQ4yKjMxA7j/+MT4gnVEyWxiR
         zqrw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:subject:to:references:from:message-id:date
         :user-agent:mime-version:in-reply-to:content-transfer-encoding;
        bh=E6YAh80xWXUpkVBDewrMqxcAGI+F6S0lwuI3Vn/YYCU=;
        b=cNEtpcQyMMm5CRagkH2sL2L19DVvd/IKn246Xb8cQnWMz4pHO/dcA8zJR3tjnB7Ji8
         djhrXZGjNxD0OkWsj2vEiX00wagmvtb41mjpGnn9tIWG6rSIOAfPeRqGEzst/ckQeyTt
         9ejYjDTpHs9m1EnisYJ+N1pcPCiyIYjnrdJXgasB0PoiR87J5qSWVhUhAeNflBB5NDkm
         MXI9tUn/kAm0g0mHmSep4A1ALWWuV0dM7wr+I1hjtzH5wPSw77BNL2hGMkdJYqguUwFu
         xYGVonIGMasKVngWfl98cnC53/I/Wx1OYYw1gDIGfp1yk27ec8ZdscXHB22RzaVZ9KmE
         Q4mA==
X-Gm-Message-State: AOPr4FVm+zoCXTxZy3uHDXayk3zfjoUmYM40++97Ks6pzAzjcNNnfMBCeiehheAJFWIrGg==
X-Received: by 10.66.217.137 with SMTP id oy9mr55942789pac.103.1462855516107;
        Mon, 09 May 2016 21:45:16 -0700 (PDT)
Received: from ?IPv6:2602:304:cdc2:e5f0:795b:99e1:833d:f333? ([2602:304:cdc2:e5f0:795b:99e1:833d:f333])
        by smtp.gmail.com with ESMTPSA id s124sm440219pfb.63.2016.05.09.21.45.14
        (version=TLSv1/SSLv3 cipher=OTHER);
        Mon, 09 May 2016 21:45:14 -0700 (PDT)
To: Yasuo Ohgaki <yohgaki@ohgaki.net>,
 "internals@lists.php.net" <internals@lists.php.net>
References: <CAGa2bXZytbD1H-Rg5eWfiPwEM0p47JSQH-GC-ZayDSLbmbsGVA@mail.gmail.com>
Message-ID: <c21d1d4b-a790-e1a9-7c93-2c5af4baf5d1@gmail.com>
Date: Mon, 9 May 2016 21:44:59 -0700
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:45.0)
 Gecko/20100101 Thunderbird/45.0
MIME-Version: 1.0
In-Reply-To: <CAGa2bXZytbD1H-Rg5eWfiPwEM0p47JSQH-GC-ZayDSLbmbsGVA@mail.gmail.com>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] [RFC DRAFT] Automatic CSRF Protection
From: smalyshev@gmail.com (Stanislav Malyshev)

Hi!

> I would like to hear from ideas/comments before I write patch for this.
> https://wiki.php.net/rfc/automatic_csrf_protection

Could you explain a bit more - when token validation happens? Where the
SESSCSRF comes from? Does this mean that every session application now
has to support URL rewrite? What happens with applications that do not
produce HTML at all, such as REST, or those that produce data further
modified by Javascript frontend?

-- 
Stas Malyshev
smalyshev@gmail.com