Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:93196 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 77527 invoked from network); 11 May 2016 04:50:44 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 11 May 2016 04:50:44 -0000 Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.192.45 as permitted sender) X-PHP-List-Original-Sender: yohgaki@gmail.com X-Host-Fingerprint: 209.85.192.45 mail-qg0-f45.google.com Received: from [209.85.192.45] ([209.85.192.45:36758] helo=mail-qg0-f45.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 98/E2-64493-32AB2375 for ; Wed, 11 May 2016 00:50:43 -0400 Received: by mail-qg0-f45.google.com with SMTP id w36so18272823qge.3 for ; Tue, 10 May 2016 21:50:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=N8D73N4igzPsXiML0BmGOEC+TZVqFw2dCFuWBGFRaKo=; b=QN8cjVIAIoRjuKAWDEg922HtoyGRlVPdDl+m4uvmaS6+3G831RrcakHQgb7qV2u00a xIQmiv8IOiMgEkOvvOgiLP3zy00zBnBCDA40Fw568c3ju3Jmc+lD2IlvREXWdcmOdoYm vtjobaDKCUnXCNpSAo0vfOZaTzPCimLkE1h068vsh6aIQaGfritMQ+WjcvR+xlfjMoDB zFQrxJdZITHJeKgZZ1ZeZ0X85KH7dtepoWOFQqqv6Qb9sBsyYBf+Tl0spZMpG9/n7lAb RdxNWk0tCX4ic2FfMVpNAUxk2SSh0C2SR38u+cV36s7MUNevkdl1bUK+BV3OwwTXOIRz +eEA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=N8D73N4igzPsXiML0BmGOEC+TZVqFw2dCFuWBGFRaKo=; b=AJhKwWQsoj/jKC0Xrso4eT3QJLG7qMyo4i0ekjmU1eVIXodc1suBup3JCQofbg291x LRTzMZk6Zybnj9w5BqfSPWSWtafc9fD3hJM+caPuccTHcsd32g70wykDkdJs3bG8Eigt JvwPmMxPjT3LUqr7xMZIdwKX998prLasYnxFN5FAS8XPwTPXigqnQyLF76t7OcnC0yHE 8mid820sxbcOtDmBPw0K/wY7AS2fQwPOLe9LV4i6F3KyGy8+6i6zUoAFSczxMJkxOKp5 v0yKRRp7Po6MR+Fc6HOYMd+qmGq2JcFxz+sFetRL0egs2X0I0cOR3SeDzK97/mBJDSeT r14g== X-Gm-Message-State: AOPr4FXIfig81kvygO8eKQtOEdLKpDBoISsdwtqXP4zOoW9zvIf2CaKhgpYuOdfvPdm2ZEptNJ/M5iHUFTq3qw== X-Received: by 10.140.104.146 with SMTP id a18mr1273180qgf.26.1462942241418; Tue, 10 May 2016 21:50:41 -0700 (PDT) MIME-Version: 1.0 Sender: yohgaki@gmail.com Received: by 10.140.27.133 with HTTP; Tue, 10 May 2016 21:50:01 -0700 (PDT) In-Reply-To: References: <3b115b37-d399-0b69-24b4-de5c95c4a069@gmail.com> Date: Wed, 11 May 2016 13:50:01 +0900 X-Google-Sender-Auth: DKIRGuKJSkIZMkJdfdFvnG8jpgE Message-ID: To: Niklas Keller Cc: Stanislav Malyshev , "internals@lists.php.net" Content-Type: text/plain; charset=UTF-8 Subject: Re: [PHP-DEV] [RFC DRAFT] Automatic CSRF Protection From: yohgaki@ohgaki.net (Yasuo Ohgaki) Hi Niklas, On Wed, May 11, 2016 at 1:40 PM, Niklas Keller wrote: > Yasuo Ohgaki schrieb am Mi., 11. Mai 2016 00:05: >> >> Hi Stas, >> >> On Wed, May 11, 2016 at 12:32 AM, Stanislav Malyshev >> wrote: >> >> What happens with applications that do not produce HTML at all, such as >> >> REST, >> >> - These apps may add SESSCSRF value manually. >> > >> > Add where? And where that value would come from? RFC says nothing about >> > that. >> >> As usual. Query parameter when GET is used. Additional input when POST >> is used. All users have to do is adding CSRF token to JS program. > > > Again: GET doesn't need any protection, it must be idempotent. > > Query parameter is a very bad idea, just like session IDs in the query > parameter are a bad idea. Maybe we should think about removing support for > it. I agree users should use POST rather than GET. However, there many codes use GET and it could be used safely. e.g. Many web API uses AUTH key in query strings. It's not security issue because of its usage. So I didn't ignore GET usage. Regards, -- Yasuo Ohgaki yohgaki@ohgaki.net