phorge-phorge

mirror of https://we.phorge.it/source/phorge.git synced 2024-11-27 17:22:42 +01:00

History

vrana 6bd8542abb Avoid sending CSRF token in GET and external forms Summary: Sending CSRF token in GET forms is dangerous because if there are external links on the target page then the token could leak through Referer header. The token is not required for anything because GET forms are used only to display data, not to perform operations. Sending CSRF tokens to external URLs leaks the token immediately. Please note that <form action> defaults to GET. PhabricatorUserOAuthSettingsPanelController suffered from this problem for both reasons. Test Plan: Save my settings (POST form). Reviewers: epriestley Reviewed By: epriestley CC: aran, epriestley Differential Revision: https://secure.phabricator.com/D1558	2012-02-03 10:58:51 -08:00
..
api	PhabricatorEnv	2011-01-31 11:55:26 -08:00
markup	Avoid sending CSRF token in GET and external forms	2012-02-03 10:58:51 -08:00

vrana 6bd8542abb Avoid sending CSRF token in GET and external forms

Summary:
Sending CSRF token in GET forms is dangerous because if there are external links
on the target page then the token could leak through Referer header.
The token is not required for anything because GET forms are used only to
display data, not to perform operations.
Sending CSRF tokens to external URLs leaks the token immediately.

Please note that <form action> defaults to GET.

PhabricatorUserOAuthSettingsPanelController suffered from this problem for both
reasons.

Test Plan: Save my settings (POST form).

Reviewers: epriestley

Reviewed By: epriestley

CC: aran, epriestley

Differential Revision: https://secure.phabricator.com/D1558

2012-02-03 10:58:51 -08:00

api

PhabricatorEnv

2011-01-31 11:55:26 -08:00

markup

Avoid sending CSRF token in GET and external forms

2012-02-03 10:58:51 -08:00