[WEB SECURITY] CSRF remedies in
Licky Lindsay
noontar at gmail.com
Thu Jan 15 15:13:16 EST 2009
On Thu, Jan 15, 2009 at 1:33 PM, Stephan Wehner <stephanwehner at gmail.com> wrote:
>
> By the way, I am not sure about CSRF protection vs. bookmarks. When
> tokens are generated/validated even for GET requests -- which can be
> important when the response contains information that needs to be
> protected -- the user cannot use their browser's bookmark function.
In what situation would you need CSRF protection on GET requests? CSRF
is about exploiting side effects, and GET requests aren't supposed to
have any side effects. What am I missing?
----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec
Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/
Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA
More information about the websecurity
mailing list