On Tue, Sep 30, 2008 at 02:51:58PM +0000, corvid wrote:
Joerg wrote:
On Tue, Sep 30, 2008 at 12:56:05PM +0000, corvid wrote:
So my latest little experiment: out of the image urls your browser sees that have queries (the '?a=b&c=d&e=f'), how many are
There's nothing wrong with that. Such an image URL is a simple GET request. Any web application doing a modification is broken by design and there are good reasons for allowing such URLs. The problem is allowing POST actions to a different site than the one issuing it.
Isn't that part of the problem -- that broken sites are using GET for things they shouldn't?
CSRF is about both. Broken sites are broken sites -- not much to do about them. What I do worry about are properly written web applications, e.g. those that correctly use GET/POST, but don't have explicit protection about CSRF. The latter is kind of intrusive if the framework used doesn't allow that.
PS How about not sending cookies with queries for images?
Breaks if you are using session controll to decide what images can be accessed. Joerg