> JS code that does not have pages at all may obtain CSRF token manually.
That's against CSRF protection... in fact, a remote app can obtain the token also and make the cross site request forgery... -1 On Tue, May 10, 2016 at 9:17 PM, Yasuo Ohgaki <yohg...@ohgaki.net> wrote: > Hi Stas, > > On Wed, May 11, 2016 at 7:58 AM, Stanislav Malyshev <smalys...@gmail.com> > wrote: > >>> Add where? And where that value would come from? RFC says nothing about > >>> that. > >> > >> As usual. Query parameter when GET is used. Additional input when POST > >> is used. All users have to do is adding CSRF token to JS program. > > > > GET and POST aren't the only HTTP methods. And where JS program would > > get the correct token from? As far as I can see, there's no function in > > the RFC that produces it. > > JS code that does not have pages at all may obtain CSRF token manually. > > get_csrf_token.php > <?php > session_start(['csrf_protection'=>SESSION_CSRF_GET]); > echo json_encode(['SESSCSRF'=>SESSCSRF]); > ?> > > then JS apps may use the token. Users must be careful for CSRF token TTL. > > Regards, > > -- > Yasuo Ohgaki > yohg...@ohgaki.net > > -- > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: http://www.php.net/unsub.php > > -- *--* *Kinn Coelho Julião* *Toronto - ON/Canada*
