Follow along with the video below to see how to install our site as a web app on your home screen.
Note: This feature may not be available in some browsers.
Normal
Yes, that's why I said that Sec-Fetch Site by itself is not enough - combined with POST it should be sufficient, hence why I think that GET requests should not change state.I am tempted to disagree IMHO user generated content isn't a problem per-se (as long as the UGC can't create a POST, if it can ... that would indeed be a problem).So as long as UGC can't do that and all protected actions are only performed via POST, tokens wouldn't be required.In fact, having CSRF tokens in URLs is potentially dangerous as they can leak rather easily.[URL unfurl="true"]https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html[/URL]I've got at least one PoC where CSRF tokens in URL could be leaked from XenForo via Referer header.
Yes, that's why I said that Sec-Fetch Site by itself is not enough - combined with POST it should be sufficient, hence why I think that GET requests should not change state.
Sec-Fetch Site
POST
GET
I am tempted to disagree
IMHO user generated content isn't a problem per-se (as long as the UGC can't create a POST, if it can ... that would indeed be a problem).
So as long as UGC can't do that and all protected actions are only performed via POST, tokens wouldn't be required.
In fact, having CSRF tokens in URLs is potentially dangerous as they can leak rather easily.
[URL unfurl="true"]https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html[/URL]
I've got at least one PoC where CSRF tokens in URL could be leaked from XenForo via Referer header.
Referer
We use essential cookies to make this site work, and optional cookies to enhance your experience.
See further information and configure your preferences
