Yasuo Ohgaki wrote on 10/05/2016 11:57:
To protect all of URLs automatically, all URLs need to have token. That's the reason why all URLs have token.
In my opinion, that fails on both counts: not all URLs need protection (I would say for most applications, the majority of URLs do not need it), and not all URLs will be protected automatically (because rewriting HTML is a hard problem, and because some submissions that need protecting are not generated as HTML).
Interestingly, the OWASP page has a whole section on the dangers of exposing CSRF tokens in URLs: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet#Disclosure_of_Token_in_URL It backs up my gut feeling that exposing the CSRF token too widely can severely diminish its usefulness; for instance, by exposing tokens in Referer headers sent to external sites.
There may be types of application that would benefit from every page having a "CSRF or die" policy - e.g. online banking - but I don't think they represent a large proportion of the PHP user space, or benefit significantly from having the functionality built into the language. For everyone else, all that's needed is functions to manually generate, save, and validate tokens, and those can trivially be written as a userland library. Indeed there are plenty: https://packagist.org/search/?q=csrf
Regards, -- Rowan Collins [IMSoP] -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
