Am Donnerstag, 3. Juli 2014 00:32:15 UTC+2 schrieb cornelius: > > Am 02.07.2014 23:01, schrieb Torsten Irländer: > > > > Am Mittwoch, 2. Juli 2014 17:00:02 UTC+2 schrieb Bert JW Regeer: >> >> >> On Jul 2, 2014, at 7:29, Torsten Irländer <[email protected]> wrote: >> >> I guess that most people only talk about protecting post request since > they _think_ that the web application would be programmed this way, that > all actions (like deleting all contacts) would only be accessable via a > POST request. So they THINK there is no need in protecting GET requests. > But I know web applications that also change data via GET requests. > > Buttriggering a GET request that only _reads_ your addresses, would > display the addresses and not change them. (Well, Maybe some code can also > steal the addresses) >
That's the point. If those addresses are not public and considered to be only visible to authenticated users, than such a GET request is a large security issue ( if such a request is realistic at all ) > Nevertheless I absolutely recommend to also protect GET requests against > CSRF! > Ok, and how would you do it in pyramid? Torsten -- You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/pylons-discuss. For more options, visit https://groups.google.com/d/optout.
