Hi Stas, On Wed, May 11, 2016 at 7:58 AM, Stanislav Malyshev <smalys...@gmail.com> wrote: >>> Add where? And where that value would come from? RFC says nothing about >>> that. >> >> As usual. Query parameter when GET is used. Additional input when POST >> is used. All users have to do is adding CSRF token to JS program. > > GET and POST aren't the only HTTP methods. And where JS program would > get the correct token from? As far as I can see, there's no function in > the RFC that produces it.
JS code that does not have pages at all may obtain CSRF token manually. get_csrf_token.php <?php session_start(['csrf_protection'=>SESSION_CSRF_GET]); echo json_encode(['SESSCSRF'=>SESSCSRF]); ?> then JS apps may use the token. Users must be careful for CSRF token TTL. Regards, -- Yasuo Ohgaki yohg...@ohgaki.net -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
