[WEB SECURITY] CSRF remedies in
Stephan Wehner
stephanwehner at gmail.com
Fri Jan 16 01:59:44 EST 2009
On Thu, Jan 15, 2009 at 12:13 PM, Licky Lindsay <noontar at gmail.com> wrote:
> On Thu, Jan 15, 2009 at 1:33 PM, Stephan Wehner <stephanwehner at gmail.com> wrote:
>>
>> By the way, I am not sure about CSRF protection vs. bookmarks. When
>> tokens are generated/validated even for GET requests -- which can be
>> important when the response contains information that needs to be
>> protected -- the user cannot use their browser's bookmark function.
>
> In what situation would you need CSRF protection on GET requests? CSRF
> is about exploiting side effects, and GET requests aren't supposed to
> have any side effects. What am I missing?
>
You might not be missing anything. (The name CSRF doesn't imply
"side-effects" to me.) I am
looking at the case of a web app that makes sensitive information
available on its web pages after
a user has logged in. I am thinking about supporting both bookmarks
and protecting the information
from becoming visible to someone other than the user through the
combination of javascript + browser bugs.
Stephan
--
Stephan Wehner
-> http://stephan.sugarmotor.org (blog and homepage)
-> http://www.thrackle.org
-> http://www.buckmaster.ca
-> http://www.trafficlife.com
-> http://stephansmap.org -- blog.stephansmap.org
----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec
Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/
Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA
More information about the websecurity
mailing list