risks on ignoring `GET/HEAD` request?

[luckydrq]

Think of two situations:

1. if there are some bad designs in someone's code and GET/HEAD methods are used to do write operations in backend, then risks rise.
2. even if GET/HEAD are used to query data, attackers can easily get data which may be sensitive via csrf.

[dead-horse]

1. should _never_ use GET/HEAD to update database or other backend data.
2. if GET/HEAD request need csrf, how can frontend page get the csrf token ?

[luckydrq]

@dead-horse

if GET/HEAD request need csrf, how can frontend page get the csrf token ?

via cookie

[luckydrq]

frontend page makes the GET/HEAD request taking along with the cookie that contains csrf token planted by previous response.

[dead-horse]

how can frontend page get the cookie when they can't GET the server without csrf token.

it is really unnecessary to verify csrf token when GET/HEAD only query the server.

[luckydrq]

yeath, i know what you mean, not every GET page needs a csrf verification.

maybe some sensitive GET pages need such concern while others doesn't.

[dead-horse]

do not use the default middleware, use this.assertCSRF directly.

[luckydrq]

Alright.

uh..i've reconsidered the scenario and it seems my previous concern is not necessary. even if the victim user gets a sensitive GET page requested from an untrusted website(csrf), how would the attacker get the info?