Not when the GET is not tied to user authentication and some other
unsafe action. But you are right that executing actions by GETtable
links may lead to CSRF.
On Sep 27, 2009, at 8:09 AM, John Panzer wrote:
> Actually something like a separate form step is needed to help prevent
> xsrf anyway.
>
> On Sunday, September 27, 2009, Subbu Allamaraju <subbu_at_subbu.org>
> wrote:
>>>> So, what is the alternative ?
>>>
>>> Send a URL to an HTML page that includes a POST form with a button
>>> the
>>> user clicks on to confirm.
>>>
>>> (or send an HTML email with a form (not sure if the email client
>>> supports the form submission though)).
>>
>> It is a matter of a tradeoff between usability and safety. Confirming
>> by just clicking on the link is a well-established usage pattern on
>> the web. Most users will miss the flow if there is another HTML form
>> or some other user interaction on that page.
>>
>> When implementing this, just make sure to not fail the request if the
>> user clicks on the link again (i.e. implement as idempotent).
>>
>> Subbu
>>
>>
>> ------------------------------------
>>
>> Yahoo! Groups Links
>>
>> <*> To visit your group on the web, go to:
>> http://groups.yahoo.com/group/rest-discuss/
>>
>> <*> Your email settings:
>> Individual Email | Traditional
>>
>> <*> To change settings online go to:
>> http://groups.yahoo.com/group/rest-discuss/join
>> (Yahoo! ID required)
>>
>> <*> To change settings via email:
>> mailto:rest-discuss-digest_at_yahoogroups.com
>> mailto:rest-discuss-fullfeatured_at_yahoogroups.com
>>
>> <*> To unsubscribe from this group, send an email to:
>> rest-discuss-unsubscribe_at_yahoogroups.com
>>
>> <*> Your use of Yahoo! Groups is subject to:
>> http://docs.yahoo.com/info/terms/
>>
>>