[WEB SECURITY] CSRF remedies in

Licky Lindsay noontar at gmail.com
Thu Jan 15 15:13:16 EST 2009


On Thu, Jan 15, 2009 at 1:33 PM, Stephan Wehner <stephanwehner at gmail.com> wrote:
>
> By the way, I am not sure about CSRF protection vs. bookmarks. When
> tokens are generated/validated even for GET requests -- which can be
> important when the response contains information that needs to be
> protected -- the user cannot use their browser's bookmark function.

In what situation would you need CSRF protection on GET requests? CSRF
is about exploiting side effects, and GET requests aren't supposed to
have any side effects. What am I missing?

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



More information about the websecurity mailing list