Re: [jsr-314-open-mirror] [jsr-314-open] [Spec-869-Specify CSRF Solution] PROPOSAL(s)
Hey Kito -
On 10/26/10 2:01 PM, Kito Mann wrote:
On Mon, Oct 25, 2010 at 8:14 PM, Blake Sullivan
<blake.sullivan(a)oracle.com> wrote:
> This leaves the ever popular GETs. I'm probably being lazy, but at this
> point I'm willing to punt on GETs because of potential problems with:
>
> 1) Worries about referer leakage if the secret is encoded in the URL
> 2) How to deal with bookmarking
> 3) General dislike for ugly URLs
>
> Admittedly, I think that 2) is the only one that really requires more
> thought, since I think that the solution to 1) is to a) Only worry about
> CSRF for pages served through a secure channel b) Require that pages served
> to authenticated users be served through a secure channel. For 3), I think
> it's gross but, that's just me :)
>
I think leaving out support for GETs is a bad idea.
I agree that we should support GETs. My concern isn't whether we should
support this - but whether the currently proposed approach of enabling
this on a global/application level is the right way to go. I think we
need a finer grained solution.
Andy