Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:93180 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 38538 invoked from network); 10 May 2016 23:01:19 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 10 May 2016 23:01:19 -0000 Authentication-Results: pb1.pair.com smtp.mail=smalyshev@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=smalyshev@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.220.41 as permitted sender) X-PHP-List-Original-Sender: smalyshev@gmail.com X-Host-Fingerprint: 209.85.220.41 mail-pa0-f41.google.com Received: from [209.85.220.41] ([209.85.220.41:34230] helo=mail-pa0-f41.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id D4/9D-63163-E3862375 for ; Tue, 10 May 2016 19:01:19 -0400 Received: by mail-pa0-f41.google.com with SMTP id r5so10597021pag.1 for ; Tue, 10 May 2016 16:01:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-transfer-encoding; bh=cmmnuK5heUnxp8aZOaRZU1MDYPGPwIVFl6qPu6OVTNM=; b=TIJGdgCQMsNY4Pcre2Nm898skktrs8x77rFcRjfAQfdqzx7GrX+JoZEcWXf71GKT43 JP2lusadR0ddajdRhd+ZsKUGaaKUBjnSNLqHah0LdCAvMRu04e6lAAimJ0FivFubbyQK iw12Q+ILuejNEiX1wFpg0CqaY3SWrhuOVJyvVN6aLuWV11VgZtWmuDCwtFP60S26dd5C U65dQb94hPDb0/RRc89b4bjZZzhSmEmDMtQtE5LfpXO57uVnVsHaVWyH/EBA+pcsOkBz TJ7nmlPVtOZkkjIbfmwQ/hx2TOIEGNMQTWPa0f9F12Tf5vKzu17RKq+gehkWnIHv5kou 6GCg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding; bh=cmmnuK5heUnxp8aZOaRZU1MDYPGPwIVFl6qPu6OVTNM=; b=hDR3qT8KA7QRIONe22zx+dD/UOUJqA3FPf0eaEaG36x+K72FV22vo4ohOH8afJ65WO afTQqXOzoLWF7fORsY8ii7Pk2Bto1iN39tKv5nTIoqksy84bV5Eyto48QGxznu6iLQa5 wf1VbBEga3/0s9HZT3zfevRczcTGS+QvTFmVSIYmr7/b5F1tl0OVgjxwjRnG2+AdX9PD LtCS3vv8CjVUz230+B43dzuzNjjBYMYkWDbmQNZSRS1YvDmTQBcKe4EqpvjrijosYsTZ YihFu7bzeCE3+TYvhjNWECD5KZyv+1nuWsaUQQ6qrMnvcB0fPEf2JS35TPuBzwvra4A2 PItw== X-Gm-Message-State: AOPr4FXklOzrlyR8tE4B+01/Li+3qn077XkJnRvNUgkNLmo5TUs7xS4jaa6i5k39c8O4jA== X-Received: by 10.66.81.70 with SMTP id y6mr85568pax.121.1462921275909; Tue, 10 May 2016 16:01:15 -0700 (PDT) Received: from stas-air.router (mobile-166-171-249-091.mycingular.net. [166.171.249.91]) by smtp.gmail.com with ESMTPSA id u63sm6951455pfu.18.2016.05.10.16.01.13 (version=TLSv1/SSLv3 cipher=OTHER); Tue, 10 May 2016 16:01:14 -0700 (PDT) To: Yasuo Ohgaki , "internals@lists.php.net" References: <2e590aa5-9345-02e5-c1a4-7e0470c6c5a3@fleshgrinder.com> Message-ID: Date: Tue, 10 May 2016 16:01:12 -0700 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:45.0) Gecko/20100101 Thunderbird/45.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] [RFC DRAFT] Automatic CSRF Protection From: smalyshev@gmail.com (Stanislav Malyshev) Hi! > Did you read RFC? > It does not enable CSRF protection for all website, but only when it is enabled. The RFC says: "Default: session.csrf_protection=1". Which means all sites would have it (for POST) unless they specifically disable it by changing configuration. Also, new variants do not account for existence of other HTTP methods such as PUT, DELETE, etc. Value "2" also makes little sense - why would you want to protect GET, but not POST? -- Stas Malyshev smalyshev@gmail.com