Hi Florian, Could you explain the reasoning behind the fact that CsrfManager#check verifies the token in the request parameter if this is a GET content request?
I don't see the point in doing any CSRF check for a GET... In other words, I don't see an attack model that would make this necessary. Thanks, Florent -- [image: Nuxeo Logo] <https://www.nuxeo.com/> Florent Guillaume Head of R&D [image: LinkedIn] <https://www.linkedin.com/in/fguillaume/> [image: Twitter] <https://twitter.com/efge> [image: Github] <https://github.com/efge> Nuxeo Content Services Platform. Stay ahead.
