2009/3/26 Reed O'Brien <r...@reedobrien.com>: > But google's search is a GET request; which should be idempotent and > shouldn't need CSRF protection.
True that. >> Right you could have a ticket system, but is it really necessary for >> the general site? Perhaps for online banking or airline ticket >> booking. > > for non-idempotent POST requests, IMO. In a CMS system for example, would you want the "Save" action to be protected from resubmission? Ideally, users will only submit the button once, but it's a bit awkward to prevent it by force, when there's no damage ahead. >>> Perhaps we are saying the same thing and I am being obtuse. But *only* >>> validating that an agent is participating in a valid session doesn't >>> prevent >>> a malicious JS from submitting a form on that valid sessions behalf. > > [snip] > > I wasn't referring to a malicious JS on my own server as that wouldn't be > cross site request forgery (CSRF), which is what we are talking about > preventing, no? Undesired resubmission of forms is one thing; it can be dealt with using a ticket system. As for what we're supposed to be talking about here :-) ––- you said it best, I think: to ensure that the requestor is the requestor. To that extend, forms must be *signed* with a personal signature. \malthe _______________________________________________ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev
