Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:93186 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 52510 invoked from network); 11 May 2016 02:18:56 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 11 May 2016 02:18:56 -0000 Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.220.171 as permitted sender) X-PHP-List-Original-Sender: yohgaki@gmail.com X-Host-Fingerprint: 209.85.220.171 mail-qk0-f171.google.com Received: from [209.85.220.171] ([209.85.220.171:35831] helo=mail-qk0-f171.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 01/DF-63163-E8692375 for ; Tue, 10 May 2016 22:18:54 -0400 Received: by mail-qk0-f171.google.com with SMTP id n62so16059689qkc.2 for ; Tue, 10 May 2016 19:18:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-transfer-encoding; bh=jXHQ8yFwKuHemA7o1bHZT6Q2N7D7lqqfKaBkKHhufoQ=; b=I81kyDvz5RBD4M4YlprSYgc50mL0U7N7Pg+8gaD3BVT6Z4QlajLSYxhoSfvwaSjneF zoCb00lERphRzDEWx7W+gmTbIHKGEjLD4/jT3zj1eUDXbihJPmbl7jLVqVnaR8l/uhlw CxU4I9Brid5IARhnRkDluHFSXDPX6e94kl55NhsyXdt0uFGpruUmsF01Rv+oyJxfdjwK Lx7jW8brsBk1XvpPsShl1mVaUFmxSkOhi7sKp1oT/kbro12tVmXmsmfaYPk8xPLS7M+b iANKndTwMsuOPQMSaTLXiKKkMdASve4oncLq6X/mrEeGlvIL/qKGVk0CBrh0dbCPx9nz kODA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc:content-transfer-encoding; bh=jXHQ8yFwKuHemA7o1bHZT6Q2N7D7lqqfKaBkKHhufoQ=; b=k0QdMluzHsEJjSvlC4Ca3Pp257TUMf17pPw40UvATclnF3ng6Zi3kZr70N8wI/SBwx PFEnvHLQ/gM3ikadUXtm92QYo9L4j0GxeEB4Kebm1TywKqAd7gvvqIo2RwbS830/n9uH s5d65hCnHerXPKVofxFuhFqSQK9QWfESjHMiu+PNI30PP6CZH+0v6jCGhoycGS1FD95/ EtklJeeYDHJo9yyCCpiq9EYmG55qCD9pDHoA85Wu35kXDYVCfjQQ+3sGOM9EFeOGka82 vtE2kapfrEA3Myx/voIvOQ4RL7pysBvqzVSYBQppa2FMdwn4U6A4boRTxhQlZdNUtDoV cS/A== X-Gm-Message-State: AOPr4FX0YPXGLh64nRMpHo/Hb5cPikLB+wl3cbqJPzkO8rYz4U1jDPrBy2sSspGilqcg9zWiC9j9kNgYoKWpFw== X-Received: by 10.55.74.141 with SMTP id x135mr891815qka.20.1462933131851; Tue, 10 May 2016 19:18:51 -0700 (PDT) MIME-Version: 1.0 Sender: yohgaki@gmail.com Received: by 10.140.27.133 with HTTP; Tue, 10 May 2016 19:18:12 -0700 (PDT) In-Reply-To: References: <3b115b37-d399-0b69-24b4-de5c95c4a069@gmail.com> Date: Wed, 11 May 2016 11:18:12 +0900 X-Google-Sender-Auth: SrI4x86WIagm4BI3-NYYK05u7L8 Message-ID: To: =?UTF-8?B?S2lubiBKdWxpw6Nv?= Cc: Stanislav Malyshev , "internals@lists.php.net" Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Subject: Re: [PHP-DEV] [RFC DRAFT] Automatic CSRF Protection From: yohgaki@ohgaki.net (Yasuo Ohgaki) Hi Kinn, On Wed, May 11, 2016 at 10:20 AM, Kinn Juli=C3=A3o wrote= : >> JS code that does not have pages at all may obtain CSRF token manually. > > That's against CSRF protection... in fact, a remote app can obtain the to= ken > also and make the cross site request forgery... > > -1 You seem to __misunderstood__ behavior. Random CSRF token generation key is stored in session data which is private to users. CSRF token is generated by using the secret key. Therefore, attacker cannot get CSRF token unless they have stolen session already (which is not scope of this RFC) Regards, -- Yasuo Ohgaki yohgaki@ohgaki.net