Avoid sending CSRF token in GET and external forms
6bd8542abb38
Actions

Authored by vrana <jakubv@fb.com> on Feb 3 2012, 03:09.

Description

Avoid sending CSRF token in GET and external forms

Summary:
Sending CSRF token in GET forms is dangerous because if there are external links
on the target page then the token could leak through Referer header.
The token is not required for anything because GET forms are used only to
display data, not to perform operations.
Sending CSRF tokens to external URLs leaks the token immediately.

Please note that <form action> defaults to GET.

PhabricatorUserOAuthSettingsPanelController suffered from this problem for both
reasons.

Test Plan: Save my settings (POST form).

Reviewers: epriestley

Reviewed By: epriestley

CC: aran, epriestley

Differential Revision: https://secure.phabricator.com/D1558

Details

Committed

vrana <jakubv@fb.com>

Feb 3 2012, 19:58

Pushed

aubort

Jan 31 2017, 17:16

Parents

rPHc0efecb56194: Specify encoding in <meta>

Branches

Unknown

Tags

Unknown

Event Timeline

vrana <jakubv@fb.com> committed rPH6bd8542abb38: Avoid sending CSRF token in GET and external forms (authored by vrana <jakubv@fb.com>).Feb 3 2012, 19:58

Changes (4)

				Path
	M			src/infrastructure/javelin/markup/__init__.php
	M			src/infrastructure/javelin/markup/markup.php
	M			src/view/form/base/AphrontFormView.php
	M			src/view/form/base/__init__.php