Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:93150 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 78519 invoked from network); 10 May 2016 15:31:15 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 10 May 2016 15:31:15 -0000 Authentication-Results: pb1.pair.com header.from=smalyshev@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=smalyshev@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.220.47 as permitted sender) X-PHP-List-Original-Sender: smalyshev@gmail.com X-Host-Fingerprint: 209.85.220.47 mail-pa0-f47.google.com Received: from [209.85.220.47] ([209.85.220.47:35514] helo=mail-pa0-f47.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id CB/32-63163-2CEF1375 for ; Tue, 10 May 2016 11:31:14 -0400 Received: by mail-pa0-f47.google.com with SMTP id iv1so6751285pac.2 for ; Tue, 10 May 2016 08:31:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:to:references:cc:from:message-id:date:user-agent :mime-version:in-reply-to:content-transfer-encoding; bh=pbb1u33YKrFAgqg63FCUi/093oMQr819qTEVmj3C0V4=; b=V6TSTNhotwsRnI6vhEDNSmFiopmSA+4sqKnpLTM12VdDmjx3vPMskVRr1LaPxY2Uzq DLCWlc2SnrCTgL27RKuZnULvgHUFtXJwokuZUpLEYfHAsSVjdVPidoOMF89RVIQRyQ4E k1DarNcRUlHtH97d48wfitRhmUg+IA5sDw4Y1IVPrJCK9GWFwbu8CdDO0zNdED0SYaaX 0vlGueRsaVZJGngEeroZzecvEtf/5XzAAFCadNnKRPLeYwKoFcEKtBQOX1u+rU0V+i7O Eb2FdhMkCP++ZGRZQpOAF4/cWnNXU+Vl5uc2s63h+zSTcN9RWvHEvapIU7L3rWmxV/DR hJDQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:references:cc:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding; bh=pbb1u33YKrFAgqg63FCUi/093oMQr819qTEVmj3C0V4=; b=Yjh/p7k64AzUGL7/A9PF3LxqYX3yIt8IvEOX890IbGyKCdAf3r4l0NiBZCh5ExcQfa eC1wOFHlc4b833j/2SEi9ItR/LZg7LrXAwAUOlvdDSytQmp+dYpVCv9cj0UJHaBDKE/L YXGX4CzmO07tlfQa2pgFtuxstyyZLOVzf/nPmeTM968z7zKPwAiPtc0ET/sCh18am6ir qmQ2R4vLdlycdWJXsKQWNI8ShkED6CvKAnDZcHxSvm4yDUtTm35wp/XgpxTT0+c2o3fs hElUWD0JuC0R3jp1H6f7+Gd2/W8e2TiFgNontaD32l3T8+9hLbVCzSA4MgQan5WscSZK MLnQ== X-Gm-Message-State: AOPr4FVtSSQTPbI+4rZ4Lev2C94ZmOnHtG7FvVfiOka4RTx7q5p8dSkvsf1Jj6XK+Q0pYQ== X-Received: by 10.66.194.230 with SMTP id hz6mr59566533pac.132.1462894271868; Tue, 10 May 2016 08:31:11 -0700 (PDT) Received: from ?IPv6:2602:304:cdc2:e5f0:8464:ff17:c821:d9ee? ([2602:304:cdc2:e5f0:8464:ff17:c821:d9ee]) by smtp.gmail.com with ESMTPSA id w15sm5390030pfa.34.2016.05.10.08.31.10 (version=TLSv1/SSLv3 cipher=OTHER); Tue, 10 May 2016 08:31:10 -0700 (PDT) To: Yasuo Ohgaki References: Cc: "internals@lists.php.net" Message-ID: Date: Tue, 10 May 2016 08:30:54 -0700 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:45.0) Gecko/20100101 Thunderbird/45.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] [RFC DRAFT] Automatic CSRF Protection From: smalyshev@gmail.com (Stanislav Malyshev) Hi! > To protect all of URLs automatically, all URLs need to have token. > That's the reason why all URLs have token. The risk is the same as > Trans SID session management. But not all URLs need protecting. There are a lot of URLs that do not need protecting - and there are a lot of actions, especially in modern web application, that aren't achieved by simply clicking the link in the browser. Modern web application is usually a combination of backend and frontend logic, and if you have any frontend logic driven by XHR or such, URL rewriting is not going to work. > Because of likelihood of the vulnerability, it's better provide basic > infrastructure. IMO. It's possible to give more control to users. The problem is the RFC proposes to give less control to users - namely, the defaults proposed are likely to break an average application *and* not provide CSRF protection for it. -- Stas Malyshev smalyshev@gmail.com