Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:93192 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 71723 invoked from network); 11 May 2016 04:40:35 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 11 May 2016 04:40:35 -0000 Authentication-Results: pb1.pair.com header.from=me@kelunik.com; sender-id=unknown Authentication-Results: pb1.pair.com smtp.mail=me@kelunik.com; spf=permerror; sender-id=unknown Received-SPF: error (pb1.pair.com: domain kelunik.com from 81.169.146.220 cause and error) X-PHP-List-Original-Sender: me@kelunik.com X-Host-Fingerprint: 81.169.146.220 mo4-p00-ob.smtp.rzone.de Received: from [81.169.146.220] ([81.169.146.220:21618] helo=mo4-p00-ob.smtp.rzone.de) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 0F/81-64493-2C7B2375 for ; Wed, 11 May 2016 00:40:35 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1462941632; l=2914; s=domk; d=kelunik.com; h=Content-Type:Cc:To:Subject:Date:From:In-Reply-To:References: MIME-Version; bh=oG9QzQq2Ea09167cuk/XBgFstuRLWZGwjnBXRIVAx7E=; b=YdM1tt92FzXFJcYrlO8dw2nen16KWvY8f0fZrD65AQU+IroU013oScf7UJodW5SqdKh gKv9cMLOtH4J02rbRFUAyihdNsKYu63l/GQAYwFQ3ZaPImegcX6Hs+cBXmVfW/Zj2U1rs fCS943xW6I8IJLqw6i0b1tPILUmxwTTab1U= X-RZG-AUTH: :IWkkfkWkbvHsXQGmRYmUo9mls2vWuiu+7SLGvomb4bl9EfHtOnI6 X-RZG-CLASS-ID: mo00 Received: from mail-wm0-f51.google.com ([74.125.82.51]) by smtp.strato.de (RZmta 37.26 AUTH) with ESMTPSA id R05d2es4B4eWI83 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (curve secp384r1 with 384 ECDH bits, eq. 7680 bits RSA)) (Client did not present a certificate) for ; Wed, 11 May 2016 06:40:32 +0200 (CEST) Received: by mail-wm0-f51.google.com with SMTP id n129so202920376wmn.1 for ; Tue, 10 May 2016 21:40:32 -0700 (PDT) X-Gm-Message-State: AOPr4FUbrEfG9M/mdkjtKEZ+s0HHpkwSlp8iQMZvJX00LUo+OCt+vINolzsOKnpxB729Hxv0xxxwgvSYT3m8mQ== X-Received: by 10.28.230.69 with SMTP id d66mr21342909wmh.73.1462941632061; Tue, 10 May 2016 21:40:32 -0700 (PDT) MIME-Version: 1.0 References: <3b115b37-d399-0b69-24b4-de5c95c4a069@gmail.com> In-Reply-To: Date: Wed, 11 May 2016 04:40:22 +0000 X-Gmail-Original-Message-ID: Message-ID: To: Yasuo Ohgaki , Stanislav Malyshev Cc: "internals@lists.php.net" Content-Type: multipart/alternative; boundary=001a1147c6e24e66be053289a4c3 Subject: Re: [PHP-DEV] [RFC DRAFT] Automatic CSRF Protection From: me@kelunik.com (Niklas Keller) --001a1147c6e24e66be053289a4c3 Content-Type: text/plain; charset=UTF-8 Yasuo Ohgaki schrieb am Mi., 11. Mai 2016 00:05: > Hi Stas, > > On Wed, May 11, 2016 at 12:32 AM, Stanislav Malyshev > wrote: > >> What happens with applications that do not produce HTML at all, such as > REST, > >> - These apps may add SESSCSRF value manually. > > > > Add where? And where that value would come from? RFC says nothing about > > that. > > As usual. Query parameter when GET is used. Additional input when POST > is used. All users have to do is adding CSRF token to JS program. > Again: GET doesn't need any protection, it must be idempotent. Query parameter is a very bad idea, just like session IDs in the query parameter are a bad idea. Maybe we should think about removing support for it. Regards, > > -- > Yasuo Ohgaki > yohgaki@ohgaki.net > > -- > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: http://www.php.net/unsub.php > > --001a1147c6e24e66be053289a4c3--