[WEB SECURITY] CSRF remedies in

Stephan Wehner stephanwehner at gmail.com
Fri Jan 16 01:59:44 EST 2009


On Thu, Jan 15, 2009 at 12:13 PM, Licky Lindsay <noontar at gmail.com> wrote:
> On Thu, Jan 15, 2009 at 1:33 PM, Stephan Wehner <stephanwehner at gmail.com> wrote:
>>
>> By the way, I am not sure about CSRF protection vs. bookmarks. When
>> tokens are generated/validated even for GET requests -- which can be
>> important when the response contains information that needs to be
>> protected -- the user cannot use their browser's bookmark function.
>
> In what situation would you need CSRF protection on GET requests? CSRF
> is about exploiting side effects, and GET requests aren't supposed to
> have any side effects. What am I missing?
>

You might not be missing anything. (The name CSRF doesn't imply
"side-effects" to me.) I am
looking at the case of a web app that makes sensitive information
available on its web pages after
a user has logged in. I am thinking about supporting both bookmarks
and protecting the information
from becoming visible to someone other than the user through the
combination of  javascript + browser bugs.

Stephan

-- 
Stephan Wehner

-> http://stephan.sugarmotor.org (blog and homepage)
-> http://www.thrackle.org
-> http://www.buckmaster.ca
-> http://www.trafficlife.com
-> http://stephansmap.org -- blog.stephansmap.org

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



More information about the websecurity mailing list