finally gerryvdm from the #symfony irc channel gave me a good answer: [17:12] gerryvdm: the goal is to prevent users unwillingly perform "actions" on your site, which really only should be possible when submitting a form [17:13] gerryvdm: never use GET requests for destructive operations [17:15] gerryvdm: GET for reading resources, POST for modifying them [17:15] sriley: spiders will follow get requests, they wont post though [17:15] gerryvdm: and everything, from browsers to web crawlers are designed around that principle [17:16] gerryvdm: for example, browsers also ask if you really want to resend a form when refreshing [17:18] gerryvdm: read this http://thedailywtf.com/forums/65974/showpost.aspx [17:19] estahn: ok, i give you a short example ... i have news on a page. every news has a close-link. if you press it the news will disapear (/news/read/id/3) ... now there is a unobstrusive possibility through javascript to that i dont need to refresh the page. so this will work but i would like to have csrf in this link to secure its from the origin sender [17:21] gerryvdm: estahn: then a user with a web accelerator that prefetches links shows up [17:21] gerryvdm: it should be POST and POST only [17:21] gerryvdm: and you can always style forms to look like links [17:23] estahn: the post shows a good point ... but wouldnt csrf in links aviod this problem? [17:23] gerryvdm: no [17:23] gerryvdm: that user with a web accelator has a valid session and will pass any csrf check [17:24] gerryvdm: http://webaccelerator.google.com/webmasterhelp.html#prefetch3 [17:24] gerryvdm: it exists, dont assume these things dont happen [17:24] gerryvdm: "According to the HTTP 1.1 specification, the GET method is defined as a Safe Method which "SHOULD NOT have the significance of taking an action other than retrieval.""
On 20 Jan., 23:03, Enrico Stahn <enrico.st...@gmail.com> wrote: > Hi absalito, > > I'm already familiar with the topic in general, but thanks for mention > wikipedia because of: "The attacker must determine the right values > for all the form's or URL's inputs". This means for my understanding > URLs are a valid possibility to request actions that change data, > therefore they need protection. > > Did you read the mentioned ticket, I guess this is a very good > explanation of what my concern is all about. So, the question above is > not aboutCSRFin general but rather why links aren't protected withCSRFin > symfony. > > Kind regards > Enrico > > On 20 Jan., 22:46, absalito <absal...@gmail.com> wrote: > > > > > "CSRF" is about protecting forms of "spamming", adding a field > > generated at runtime that identifies the form as unique. > > if the form is used otherwise than through the application, the field > > for "csrf" will not be valid, and therefore it will be identified as > > an attack. > > see it on wikipedia > > >http://en.wikipedia.org/wiki/Cross-site_request_forgery > > > i apologize for my horrible english.. im' using google translator :) > > > On Jan 20, 5:06 pm, Enrico Stahn <enrico.st...@gmail.com> wrote: > > > > Hello, > > > > I've wondered if it is uncommon to protect "normal" links against > > > attackers. I have found a feature request for this issue but no > > > response since one year. > > > >http://trac.symfony-project.org/ticket/5742 > > > > Maybe i misunderstood the concept ofcsrfin this case. Could somebody > > > give me clarification about this? > > > > Thanks > > > Enrico -- You received this message because you are subscribed to the Google Groups "symfony users" group. To post to this group, send email to symfony-us...@googlegroups.com. To unsubscribe from this group, send email to symfony-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/symfony-users?hl=en.
