Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:93190 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 68875 invoked from network); 11 May 2016 04:36:52 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 11 May 2016 04:36:52 -0000 Authentication-Results: pb1.pair.com smtp.mail=me@kelunik.com; spf=permerror; sender-id=unknown Authentication-Results: pb1.pair.com header.from=me@kelunik.com; sender-id=unknown Received-SPF: error (pb1.pair.com: domain kelunik.com from 81.169.146.221 cause and error) X-PHP-List-Original-Sender: me@kelunik.com X-Host-Fingerprint: 81.169.146.221 mo4-p00-ob.smtp.rzone.de Received: from [81.169.146.221] ([81.169.146.221:55491] helo=mo4-p00-ob.smtp.rzone.de) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 13/E0-64493-2E6B2375 for ; Wed, 11 May 2016 00:36:51 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1462941407; l=3705; s=domk; d=kelunik.com; h=Content-Type:Cc:To:Subject:Date:From:In-Reply-To:References: MIME-Version; bh=0vUWPZ7GDlLbDI3iW9TDPm6TAKiGR6JgrrJeoFgNWxI=; b=FzgxU1INmUDEFUWJV7/qM+3Ux5NSEHSbabwQoGwJd92xN6m67F7H332d4wcUBRvGTyg LoP1ZrDfLGBAgf+bhK60HBhDsSqHiza8u96PYSEc+Cn3svfZ4fBCEAky9Ksnbs/h3IBbq i5U2X3UBF05S/KKQVyU4FU3bONwXVFVE2eQ= X-RZG-AUTH: :IWkkfkWkbvHsXQGmRYmUo9mls2vWuiu+7SLGvomb4bl9EfHtO3I6 X-RZG-CLASS-ID: mo00 Received: from mail-wm0-f41.google.com ([74.125.82.41]) by smtp.strato.de (RZmta 37.26 AUTH) with ESMTPSA id j03994s4B4akHYl (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (curve secp384r1 with 384 ECDH bits, eq. 7680 bits RSA)) (Client did not present a certificate) for ; Wed, 11 May 2016 06:36:46 +0200 (CEST) Received: by mail-wm0-f41.google.com with SMTP id a17so60315692wme.0 for ; Tue, 10 May 2016 21:36:46 -0700 (PDT) X-Gm-Message-State: AOPr4FXWWiYIgWbLSKZWs+CBIpqFz9kufZD1/z49CVRxmQnr8gX1+Pwy85Z2gbnRSo8fSIT/exbaOpCym5vSMg== X-Received: by 10.28.230.69 with SMTP id d66mr21327001wmh.73.1462941406527; Tue, 10 May 2016 21:36:46 -0700 (PDT) MIME-Version: 1.0 References: <3b115b37-d399-0b69-24b4-de5c95c4a069@gmail.com> In-Reply-To: Date: Wed, 11 May 2016 04:36:36 +0000 X-Gmail-Original-Message-ID: Message-ID: To: Yasuo Ohgaki , Stanislav Malyshev Cc: "internals@lists.php.net" Content-Type: multipart/alternative; boundary=001a1147c6e2dd0a1505328996aa Subject: Re: [PHP-DEV] [RFC DRAFT] Automatic CSRF Protection From: me@kelunik.com (Niklas Keller) --001a1147c6e2dd0a1505328996aa Content-Type: text/plain; charset=UTF-8 Yasuo Ohgaki schrieb am Mi., 11. Mai 2016 03:11: > Hi Stas, > > On Wed, May 11, 2016 at 7:58 AM, Stanislav Malyshev > wrote: > >>> Add where? And where that value would come from? RFC says nothing about > >>> that. > >> > >> As usual. Query parameter when GET is used. Additional input when POST > >> is used. All users have to do is adding CSRF token to JS program. > > > > GET and POST aren't the only HTTP methods. And where JS program would > > get the correct token from? As far as I can see, there's no function in > > the RFC that produces it. > > PHP doesn't have other method support yet. > You can use whatever method you like. It's the browsers that don't support other methods in forms. And JS needs a preflight request for other methods, so that shouldn't be an issue. If users have their implementation PUT/etc, they may validate CSRF > token manually. > > I intended this feature for simple applications that lacks CSRF > protection at first, but it seems I'm better to change objective. I'll > change target to semi automatic/manual CSRF protection. > > Regards, > > -- > Yasuo Ohgaki > yohgaki@ohgaki.net > > -- > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: http://www.php.net/unsub.php > > --001a1147c6e2dd0a1505328996aa--