Re: [jsr-314-open-mirror] [jsr-314-open] [Spec-869-Specify CSRF Solution] PROPOSAL(s)

Hey Kito - On 10/26/10 2:01 PM, Kito Mann wrote: > > On Mon, Oct 25, 2010 at 8:14 PM, Blake Sullivan > <blake.sullivan(a)oracle.com&gt; wrote: > >> >> This leaves the ever popular GETs.  I'm probably being lazy, but at this >> point I'm willing to punt on GETs because of potential problems with: >> >> 1) Worries about referer leakage if the secret is encoded in the URL >> 2) How to deal with bookmarking >> 3) General dislike for ugly URLs >> >> Admittedly, I think that 2) is the only one that really requires more >> thought, since I think that the solution to 1) is to a) Only worry about >> CSRF for pages served through a secure channel b) Require that pages >> served >> to authenticated users be served through a secure channel.  For 3), I >> think >> it's gross but, that's just me :) >> > > I think leaving out support for GETs is a bad idea. I agree that we should support GETs.  My concern isn't whether we should support this - but whether the currently proposed approach of enabling this on a global/application level is the right way to go.  I think we need a finer grained solution.