Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Feature: CSRF Protection #1195

Open
julianhofmann opened this issue Dec 5, 2024 · 0 comments
Open

Feature: CSRF Protection #1195

julianhofmann opened this issue Dec 5, 2024 · 0 comments

Comments

@julianhofmann
Copy link
Contributor

The use of FormProtection suggested in #286 would require a logged-in user. We do not necessarily have this when using Powermail.

Since TYPO3 v12, however, there is the ‘CSRF-like request token handling’, which does not require a logged-in user (but uses its own cookie).
This token procedure could be used for the createAction to prevent repeated sending or automated completion after previous crawling.


As a positive side effect, it also prevents (accidental) repeated sending. This occurs on iPhones, for example, when the browser is reopened and the confirmation page was still open in a tab)

julianhofmann added a commit that referenced this issue Dec 5, 2024
The use of the token is intended to prevent CSRF attacks.

As a positive side effect, it also prevents (accidental) repeated sending. This occurs on iPhones,
for example, when the browser is reopened and the success page was still open in a tab)

See: https://docs.typo3.org/m/typo3/reference-coreapi/main/en-us/ApiOverview/Authentication/CSRFlikeRequestTokenHandling.html

Related: #286
Related: #1195
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant