On Thu, Dec 9, 2010 at 6:26 PM, Adam Barth <[email protected]> wrote: > On Thu, Dec 9, 2010 at 4:46 PM, Tab Atkins Jr. <[email protected]> wrote: >> On Thu, Dec 9, 2010 at 11:01 AM, Adam Barth <[email protected]> wrote: >>> We've seen use cases for a similar feature for iframes and hyperlinks. >>> For example: >>> >>> <a href="/logout" post-data>Logout</a> >>> >>> would be more semantically correct that just <a >>> href="/logout">Logout</a> because it would generate a POST instead of >>> a GET. >> >> Why wouldn't <form method=post >> action=/logout><button>Logout</button></form> work, with some CSS to >> make it look like a link if you wanted that? > > It's too much work. :)
But it's no work on your part. ^_^ >> On Thu, Dec 9, 2010 at 11:41 AM, Philipp Serafin <[email protected]> wrote: >>> There are quite a number of older web forums that sanitize their HTML using >>> black lists and would not strip new attributes like "post-data". For >>> malicious users, it would be very easy to include e.g. <img >>> src="./do_post.php" post-data="thread_id=42&post_content=Go visit (some >>> spam URL)"> in their signature and have users doing involuntary posts by >>> simply viewing a thread. >> >> Indeed. You shouldn't be able to trigger POSTs from involuntary >> actions. They should always require some sort of user input, because >> there is simply *far* too much naive code out there that is vulnerable >> to CSRF. > > Unfortunately, the attacker can already trigger POSTs with involuntary > actions. That code is already vulnerable attack, sadly. Via scripting, yes, which is usually stripped out by sanitizers (or just plain doesn't work, like javascript urls in images). I don't believe there are any declarative ways to trigger involuntary POSTs, are there? ~TJ
