Skip to content

HTMLDocumentProtector only protects POST forms
Compare
Choose a tag to compare
@g105b g105b released this 02 Jan 19:24
· 91 commits to master since this release
1.4.0
0f39d43
This commit was created on github.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.

Up to this point, HTMLDocumentProtector's protectAndInject method added CSRF tokens to all forms, regardless of method.

Having CSRF tokens on GET requests doesn't lead to a good user experience (and is not protecting you against anything). Once a form is submitted with a GET request, the token is added to the URL, which means that visiting the URL again (or simply refreshing the browser) causes the protection to throw an exception because the token has already been consumed.

There is no need to protect against CSRF on GET requests anyway, because GET requests should never affect the state of an application.

Assets 2
Loading