You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@chemistry.apache.org by Florent Guillaume <fg...@nuxeo.com> on 2018/09/28 13:33:41 UTC

CSRF check on content GET

Hi Florian,

Could you explain the reasoning behind the fact that CsrfManager#check
verifies the token in the request parameter if this is a GET content
request?

I don't see the point in doing any CSRF check for a GET... In other words,
I don't see an attack model that would make this necessary.

Thanks,
Florent

-- 
[image: Nuxeo Logo] <https://www.nuxeo.com/>

Florent Guillaume  Head of R&D  [image: LinkedIn]
<https://www.linkedin.com/in/fguillaume/> [image: Twitter]
<https://twitter.com/efge> [image: Github] <https://github.com/efge>

Nuxeo Content Services Platform. Stay ahead.

Re: CSRF check on content GET

Posted by Florian Müller <fm...@apache.org>.

Hi Florent,

I have to admit that I can't recall right know why there is a CSRF 
check.
But the fact that I spent the effort implementing it, makes me believe 
that there was a good enough reason.

I'll keep thinking about it...


- Florian



> Hi Florian,
> 
> Could you explain the reasoning behind the fact that CsrfManager#check
> verifies the token in the request parameter if this is a GET content
> request?
> 
> I don't see the point in doing any CSRF check for a GET... In other 
> words,
> I don't see an attack model that would make this necessary.
> 
> Thanks,
> Florent