PEAK XOOPS - Re: under the topic of against CSRF ... (2) 
TOP
>
Forum
>
Comments
>
News comment
>
Re: under the topic of against CSRF ... (2)
>
Re: under the topic of against CSRF ... (2)
Re: under the topic of against CSRF ... (2)
| Target | News |
| Subject | CSRF対策という名のもとに…2 |
| Summary | 昨日はPHP全般の話題でしたが、今回はXOOPSだけの話。それも、XOOPSだけに実装されていると思われる、簡易CSRF対策についてです。さすがにこれについては、情報も共有されているので今さら説明するまでもないのですが、DBレイヤーにおいて、POSTかつRefererが内部でなけれ... |
Re: under the topic of against CSRF ... (2)
msg# 1
- depth:
- 0
Previous post
-
Next post
|
Parent
-
Children.1
|
Posted on 2006/6/1 8:38
skalpa
Posts: 4
Posts: 4
The fact operations that modify the state of the Web should only be allowed during a POST request is part of the Web axioms, as describe in Tim Berners-Lee's notes.
So, although I'm almost sure this has not been implemented for this reason on purpose, it forces non-knowledged developers to respect this rule, and I think it is positive in fact.
Also, on a sidenote: I think something additional has to be found... Tokens are not more secure and can be tricked and bypassed (don't forget CSRF starts with the assumption that Javascript code can be inserted
).
So, although I'm almost sure this has not been implemented for this reason on purpose, it forces non-knowledged developers to respect this rule, and I think it is positive in fact.
Also, on a sidenote: I think something additional has to be found... Tokens are not more secure and can be tricked and bypassed (don't forget CSRF starts with the assumption that Javascript code can be inserted
).
Votes:1
Average:10.00
Posts tree
-
Re: under the topic of against CSRF ... (2)
(skalpa, 2006/6/1 8:38)
-
Re: under the topic of against CSRF ... (2)
(GIJOE, 2006/6/2 6:48)
-
Login