Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:93204 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 92269 invoked from network); 11 May 2016 06:37:46 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 11 May 2016 06:37:46 -0000 Authentication-Results: pb1.pair.com header.from=me@kelunik.com; sender-id=unknown Authentication-Results: pb1.pair.com smtp.mail=me@kelunik.com; spf=permerror; sender-id=unknown Received-SPF: error (pb1.pair.com: domain kelunik.com from 81.169.146.220 cause and error) X-PHP-List-Original-Sender: me@kelunik.com X-Host-Fingerprint: 81.169.146.220 mo4-p00-ob.smtp.rzone.de Received: from [81.169.146.220] ([81.169.146.220:42128] helo=mo4-p00-ob.smtp.rzone.de) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 4C/D5-64493-833D2375 for ; Wed, 11 May 2016 02:37:45 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1462948660; l=4632; s=domk; d=kelunik.com; h=Content-Type:Cc:To:From:Subject:Date:References:In-Reply-To: MIME-Version; bh=jPYClZ3G6bfrOnFNrT0R3manqR6SKe1H8TdgW538In4=; b=qMeOlGzDU1r9D8CfNhQ1M3rr8WTUIQJZ9Ly4qBWjrhzRTrfZGj8NLLhUQs8eYLJyy95 vV0SIXLc19+K9G4MvUBXBX1hVPTOjuuIByjKy7O2oDk/GRU8otCGr5uCLfkRJOP1DA6eR hZmnEEdTV/BUKVnXF6M+8tyvk7MJ7GnVscM= X-RZG-AUTH: :IWkkfkWkbvHsXQGmRYmUo9mls2vWuiu+7SLGvomb4bl9EfHtO3E6 X-RZG-CLASS-ID: mo00 Received: from mail-wm0-f42.google.com ([74.125.82.42]) by smtp.strato.de (RZmta 37.26 AUTH) with ESMTPSA id K03b86s4B6bdIga (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (curve secp384r1 with 384 ECDH bits, eq. 7680 bits RSA)) (Client did not present a certificate) for ; Wed, 11 May 2016 08:37:39 +0200 (CEST) Received: by mail-wm0-f42.google.com with SMTP id a17so63858148wme.0 for ; Tue, 10 May 2016 23:37:39 -0700 (PDT) X-Gm-Message-State: AOPr4FXfV5BcuPthn3KZj+UaEbmqRKoLUU31exQAqx5iu7+CXxTdruxOkg6NrH0l+zW07r284t73IYplYEEeeA== MIME-Version: 1.0 X-Received: by 10.194.87.103 with SMTP id w7mr1690528wjz.13.1462948659144; Tue, 10 May 2016 23:37:39 -0700 (PDT) Received: by 10.28.53.132 with HTTP; Tue, 10 May 2016 23:37:39 -0700 (PDT) In-Reply-To: References: <3b115b37-d399-0b69-24b4-de5c95c4a069@gmail.com> Date: Wed, 11 May 2016 08:37:39 +0200 X-Gmail-Original-Message-ID: Message-ID: To: Yasuo Ohgaki Cc: Stanislav Malyshev , "internals@lists.php.net" Content-Type: multipart/alternative; boundary=047d7bf10b54273b9205328b474d Subject: Re: [PHP-DEV] [RFC DRAFT] Automatic CSRF Protection From: me@kelunik.com (Niklas Keller) --047d7bf10b54273b9205328b474d Content-Type: text/plain; charset=UTF-8 2016-05-11 6:50 GMT+02:00 Yasuo Ohgaki : > Hi Niklas, > > On Wed, May 11, 2016 at 1:40 PM, Niklas Keller wrote: > > Yasuo Ohgaki schrieb am Mi., 11. Mai 2016 00:05: > >> > >> Hi Stas, > >> > >> On Wed, May 11, 2016 at 12:32 AM, Stanislav Malyshev > >> wrote: > >> >> What happens with applications that do not produce HTML at all, such > as > >> >> REST, > >> >> - These apps may add SESSCSRF value manually. > >> > > >> > Add where? And where that value would come from? RFC says nothing > about > >> > that. > >> > >> As usual. Query parameter when GET is used. Additional input when POST > >> is used. All users have to do is adding CSRF token to JS program. > > > > > > Again: GET doesn't need any protection, it must be idempotent. > > > > Query parameter is a very bad idea, just like session IDs in the query > > parameter are a bad idea. Maybe we should think about removing support > for > > it. > > I agree users should use POST rather than GET. > However, there many codes use GET and it could be used safely. > e.g. Many web API uses AUTH key in query strings. It's not security > issue because of its usage. > It is, because it will be leaked to other sites without having special headers. Older browsers not supporting those headers will still expose those tokens in referer headers. APIs are a different topic. They're not visited by the user directly, so the URL is never exposed to other sites (may they be via clicked links or embedded images). > So I didn't ignore GET usage. > > Regards, > > -- > Yasuo Ohgaki > yohgaki@ohgaki.net > --047d7bf10b54273b9205328b474d--