Yasuo Ohgaki <yohg...@ohgaki.net> schrieb am Mi., 11. Mai 2016 03:11:
> Hi Stas, > > On Wed, May 11, 2016 at 7:58 AM, Stanislav Malyshev <smalys...@gmail.com> > wrote: > >>> Add where? And where that value would come from? RFC says nothing about > >>> that. > >> > >> As usual. Query parameter when GET is used. Additional input when POST > >> is used. All users have to do is adding CSRF token to JS program. > > > > GET and POST aren't the only HTTP methods. And where JS program would > > get the correct token from? As far as I can see, there's no function in > > the RFC that produces it. > > PHP doesn't have other method support yet. > You can use whatever method you like. It's the browsers that don't support other methods in forms. And JS needs a preflight request for other methods, so that shouldn't be an issue. If users have their implementation PUT/etc, they may validate CSRF > token manually. > > I intended this feature for simple applications that lacks CSRF > protection at first, but it seems I'm better to change objective. I'll > change target to semi automatic/manual CSRF protection. > > Regards, > > -- > Yasuo Ohgaki > yohg...@ohgaki.net > > -- > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: http://www.php.net/unsub.php > >
