Unfortunately, using POST requests instead of GET requests is not enough. It will not prevent attacks that use forms and/or JavaScript to generate POST requests.
Alex On 03/09/2010 02:48 PM, Caleb James DeLisle wrote: > I had thought about proposing this myself but decided against it because it > seems > to me like a workaround for problems which can be solved in other ways. > > Suppose we were to add a check to the actions which alter data which made > sure the request method > was 'post' and made it configurable in one of the configuration files? We > would have > to look over the default skins for incorrect links and leave the configuration > option off by default for backward compatibility at least until the next > major version > but we could provide wiki operators the ability to prevent CSRF. > > Caleb > _______________________________________________ devs mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/devs
