Cross-site request forgery
Posted Oct 18, 2007 1:10 UTC (Thu) by jwb
Parent article: Cross-site request forgery
The real problem underlying XSRF is that the self-styled "developers" behind most web hacks don't respect the difference between the GET and POST request methods. A GET should not have side effects! If I can vote in a poll on your site using nothing other than a GET, that is an HTTP protocol violation. Quoting from RFC 2616 (which is almost 10 years old):
Methods can also have the property of "idempotence" in that (aside from error or expiration issues) the side-effects of N > 0 identical requests is the same as for a single request. The methods GET, HEAD, PUT and DELETE share this property...
The GET method means retrieve whatever information (in the form of an entity) is identified by the Request-URI...
The POST method is used to request that the origin server accept the entity enclosed in the request as a new subordinate of the resource identified by the Request-URI in the Request-Line.
to post comments)