Hi Stas, On Wed, May 11, 2016 at 7:58 AM, Stanislav Malyshev <smalys...@gmail.com> wrote: >>> Add where? And where that value would come from? RFC says nothing about >>> that. >> >> As usual. Query parameter when GET is used. Additional input when POST >> is used. All users have to do is adding CSRF token to JS program. > > GET and POST aren't the only HTTP methods. And where JS program would > get the correct token from? As far as I can see, there's no function in > the RFC that produces it.
PHP doesn't have other method support yet. If users have their implementation PUT/etc, they may validate CSRF token manually. I intended this feature for simple applications that lacks CSRF protection at first, but it seems I'm better to change objective. I'll change target to semi automatic/manual CSRF protection. Regards, -- Yasuo Ohgaki yohg...@ohgaki.net -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
