9 Mar
2010
9 Mar
'10
11:48 p.m.
Unfortunately, using POST requests instead of GET requests is not
enough. It will not prevent attacks that use forms and/or JavaScript to
generate POST requests.
Alex
On 03/09/2010 02:48 PM, Caleb James DeLisle wrote:
I had thought about proposing this myself but decided
against it because it seems
to me like a workaround for problems which can be solved in other ways.
Suppose we were to add a check to the actions which alter data which made sure the
request method
was 'post' and made it configurable in one of the configuration files? We would
have
to look over the default skins for incorrect links and leave the configuration
option off by default for backward compatibility at least until the next major version
but we could provide wiki operators the ability to prevent CSRF.
Caleb