Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:93179 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 37008 invoked from network); 10 May 2016 22:59:00 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 10 May 2016 22:59:00 -0000 Authentication-Results: pb1.pair.com header.from=smalyshev@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=smalyshev@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.192.179 as permitted sender) X-PHP-List-Original-Sender: smalyshev@gmail.com X-Host-Fingerprint: 209.85.192.179 mail-pf0-f179.google.com Received: from [209.85.192.179] ([209.85.192.179:34493] helo=mail-pf0-f179.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id FE/3D-63163-3B762375 for ; Tue, 10 May 2016 18:59:00 -0400 Received: by mail-pf0-f179.google.com with SMTP id y69so10645491pfb.1 for ; Tue, 10 May 2016 15:58:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:to:references:cc:from:message-id:date:user-agent :mime-version:in-reply-to:content-transfer-encoding; bh=Yd1T4hWddfwxo99lx/RQNPFT0oOYprPDYQGvDvHmwTM=; b=KjnZWING7UeuOrl2dmS2uMpchri4dnBkEwmtQqHFS2n4tJeLPLwUPF/E/89HUAqiyz qmMsqPbWCXfR4WIEitykU7udPeGp7tvi1lHlTy1BCzcKYCZtQRrhxVgPut2f+jogwHrx Nc/OofEoflcTqZ8++Iai+c6BFxcPbfbBIe0ZUnWi6gsPtg+/AMFhoe5WfUbdwCCivcsw PfrleM1YMBUc6EXeMJIXsdasoOWVORpU9/FsMj3etZ8/tocUxHWF2hTtbLq1+Ecx24Ax t2OdsziZkmZFtMIPdUrC8RMAC8+h4BBFMj2mXnLrqz4hQQ3C72qT7zL+wzR9nZw33hYr 24mw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:references:cc:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding; bh=Yd1T4hWddfwxo99lx/RQNPFT0oOYprPDYQGvDvHmwTM=; b=VnKB7ruJvJGS6lpff3ZAA8BP8FUh0f/1nIESA09r7r+q2Fz5I3t7WD5aQ9Ty2O9R2q HUI8otdofI54ulQzA5WIgD/0WvCYZBK5859jc/K6dm3ri/MW+TBtEC1gE+FRxQaIZgQB kPNDkJQLosZI2pQ3NkN3wleFWrovpDz8DSW1Cx4qClp3QTONGBq8ER2obZDTpQwWv1j+ ON2U4ZxaqASsFbUNH63E9fKcmRHAe6DrwokSRT9gLmszP2lRZcKgmbA6oLwPUhMsdQOv 8I0SO+bmfMkfA5J4Rq14gFxYNVU9XE3+afMnp50XpA1TQ3stagwoHYklNfEgBFAGoBVv VqJw== X-Gm-Message-State: AOPr4FUC9kCBxxkvU5+s3z5HrGhVxxFxihtsgOnhWaySN/TsI3vpZdSYiCxApu+wqaZtoA== X-Received: by 10.98.78.132 with SMTP id c126mr79873pfb.129.1462921137359; Tue, 10 May 2016 15:58:57 -0700 (PDT) Received: from stas-air.router (mobile-166-171-249-091.mycingular.net. [166.171.249.91]) by smtp.gmail.com with ESMTPSA id fv10sm6881128pad.40.2016.05.10.15.58.55 (version=TLSv1/SSLv3 cipher=OTHER); Tue, 10 May 2016 15:58:55 -0700 (PDT) To: Yasuo Ohgaki References: <3b115b37-d399-0b69-24b4-de5c95c4a069@gmail.com> Cc: "internals@lists.php.net" Message-ID: Date: Tue, 10 May 2016 15:58:53 -0700 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:45.0) Gecko/20100101 Thunderbird/45.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] [RFC DRAFT] Automatic CSRF Protection From: smalyshev@gmail.com (Stanislav Malyshev) Hi! >> Add where? And where that value would come from? RFC says nothing about >> that. > > As usual. Query parameter when GET is used. Additional input when POST > is used. All users have to do is adding CSRF token to JS program. GET and POST aren't the only HTTP methods. And where JS program would get the correct token from? As far as I can see, there's no function in the RFC that produces it. -- Stas Malyshev smalyshev@gmail.com