maxcountryman
commented
11 years ago I'm not sure I follow.
Closed FSX closed 11 years ago
maxcountryman
commented
11 years ago I'm not sure I follow.
FSX
commented
11 years ago Oh sorry. Rephrase: I would like to use Flask-Seasurf not only for HTTP POST requests, but also for HTTP GET requests.
maxcountryman
commented
11 years ago Ah okay. Well the reason that GET requests aren't validated is because they should not contain a body. In other words, GET is not an entity method. Actually, Flask-Seasurf will validate all entity-method requests, not just POSTs.
We could move the non-entity method tuple into a module-level constant which you could overload at runtime to achieve this. What do you think?
FSX
commented
11 years ago That sounds good.
This means that I can also validate non-entity methods w/o a body and pass the token in a URL parameter (e.g. url.net?token=123)?
maxcountryman
commented
11 years ago The token passing would still happen through the previous mechanism, so no.
FSX
commented
11 years ago How would you protect GET requests (e.g. a logout link) against CSRF?
alanhamlett
commented
11 years ago @FSX CSRF is meant to prevent data modification. Logging out the user is annoying, but does not modify any data.
Considering this if you still want to use a CSRF token on a logout url then you should follow the HTTP standard and use a POST, PUT, or DELETE method instead of GET.
maxcountryman
commented
11 years ago I agree with what @alanhamlett said. Closing this for now.
I've been reading about CSRF and it looks like one should only do retrieval with GET request and everything else with a POST request. This is quite inconvenient with a list of delete links in a list or a logout link.