PEAK XOOPS - CSRF対策という名のもとに…2 in englishin japanese

Archive | RSS |
XOOPS : CSRF対策という名のもとに…2
Poster : GIJOE on 2006-06-01 04:16:00 (7735 reads)

in englishin japanese





「リファラーが送信されていません」とだけメッセージを表示してexitしていれば、直ちに修正が可能なのに! そして(チケットチェックがない、もしくは、再投稿を実装してあれば)exitされた時点で、リファラーをONにしてリロードすることで、投稿内容も失わないのに!


XOOPS CubeがXOOPSからフォークした理由の一つに、チケットシステムへの理解、というのがあったはずです。であるなら、チケットシステムを導入するだけでなく、「とりあえず」の簡易CSRF対策を外して欲しい、と思っているのは私だけでしょうか。

Printer friendly page Send this story to a friend

Comments list

GIJOE  Posted on 2006/6/2 6:48 | Last modified
hi Skalpa.
don't forget CSRF starts with the assumption that Javascript code can be inserted
It's quite natural.
XSS + CSRF combination attack is the most powerful one.
If the form has XSS, neither referer check nor ticket make any sense.

But there are many users "referer off" in the world.

Thus, I insist

- referer check off
- ticket check (with feature of repost) on

Of course, XSS/ScriptInsertion can't be allowed.

Anyway, this english topic is much shorter than my original topic in Japanese.
Though I know I have to translate whole of my opinion into English...
skalpa  Posted on 2006/6/1 8:38
The fact operations that modify the state of the Web should only be allowed during a POST request is part of the Web axioms, as describe in Tim Berners-Lee's notes.
So, although I'm almost sure this has not been implemented for this reason on purpose, it forces non-knowledged developers to respect this rule, and I think it is positive in fact.
Also, on a sidenote: I think something additional has to be found... Tokens are not more secure and can be tricked and bypassed (don't forget CSRF starts with the assumption that Javascript code can be inserted ).
Username or e-mail:


Remember Me

Lost Password?

Register now!