Nuxeo mailing list archives
[Nuxeo-tickets] Re: [Nuxeo Repository] #630: Don't use GET for side
effects, and check that a POST comes from the same server
Nuxeo Repository
trac at nuxeo.com
Tue Apr 17 11:05:05 CEST 2007
#630: Don't use GET for side effects, and check that a POST comes from the same
server
--------------------------+-------------------------------------------------
Reporter: anonymous | Owner: fguillaume
Type: defect | Status: new
Priority: P2 | Milestone: CPS 3.4.4
Component: CPS (global) | Version: TRUNK
Severity: major | Resolution:
Keywords: security XSS |
--------------------------+-------------------------------------------------
Changes (by madarche):
* keywords: security => security XSS
* milestone: CPS 3.5.0 => CPS 3.4.4
Old description:
> The problem is that of CSRF (Cross-site request forgery).
>
> http://www.squarefree.com/securitytips/web-developers.html#CSRF
> http://www.sencer.de/article/122/securing-forms-with-post-is-not-enough
>
> We should automatically add a cryptographic nonce (formkey) to the forms
> we generate, to prevent this.
New description:
The problem is that of CSRF (Cross-site request forgery).
http://www.squarefree.com/securitytips/web-developers.html#CSRF
This ticket is related to #1831.
--
Ticket URL: <http://svn.nuxeo.org/trac/pub/ticket/630>
Nuxeo Repository <http://www.cps-project.org/>
Nuxeo Repository
This list archive provided by Nuxeo, the
leaders of open source ECM.
Check out the Nuxeo 5 open source,
standards-based ECM project.