Negligible risk in this, though - if it was a concern then you could
implement the initial URI as a landing page with javascript that
automatically makes the relevant POST (or PUT?) request.
Subbu Allamaraju wrote:
> Not when the GET is not tied to user authentication and some other
> unsafe action. But you are right that executing actions by GETtable
> links may lead to CSRF.
>
> On Sep 27, 2009, at 8:09 AM, John Panzer wrote:
>
>> Actually something like a separate form step is needed to help prevent
>> xsrf anyway.
>>
>> On Sunday, September 27, 2009, Subbu Allamaraju <subbu_at_subbu.org>
>> wrote:
>>
>>> It is a matter of a tradeoff between usability and safety. Confirming
>>> by just clicking on the link is a well-established usage pattern on
>>> the web. Most users will miss the flow if there is another HTML form
>>> or some other user interaction on that page.
>>>
>>> When implementing this, just make sure to not fail the request if the
>>> user clicks on the link again (i.e. implement as idempotent).
>>>
>>> Subbu
>>>
>>>