Closed luckydrq closed 9 years ago
GET/HEAD
to update database or other backend data.GET/HEAD
request need csrf, how can frontend page get the csrf token
?@dead-horse
if GET/HEAD request need csrf, how can frontend page get the csrf token ?
via cookie
frontend page makes the GET/HEAD
request taking along with the cookie that contains csrf token
planted by previous response.
how can frontend page get the cookie when they can't GET the server without csrf token
.
it is really unnecessary to verify csrf token when GET/HEAD
only query the server.
yeath, i know what you mean, not every GET page needs a csrf
verification.
maybe some sensitive GET
pages need such concern while others doesn't.
do not use the default middleware, use this.assertCSRF
directly.
Alright.
uh..i've reconsidered the scenario and it seems my previous concern is not necessary. even if the victim user gets a sensitive GET
page requested from an untrusted website(csrf
), how would the attacker get the info?
Think of two situations:
GET/HEAD
methods are used to do write operations in backend, then risks rise.GET/HEAD
are used to query data, attackers can easily get data which may be sensitive viacsrf
.