Feature #47252

Skip CSRF protection and persistence for "safe" request methods

Added by Robert Lemke about 8 years ago. Updated about 8 years ago.

Status:
Resolved
Priority:
Must have
Assignee:
Category:
MVC
Start date:
2013-04-15
Due date:
% Done:

100%

Estimated time:
PHP Version:
5.4
Has patch:
No
Complexity:
medium

Description

By definition, GET / HEAD requests should be considered "safe", that is, they should only be used for retrieval and not have any state side effects on the server side (http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html).

We should support and enforce this principle by turning off the automatic persistAll() call and skip CSRF protection for GET requests.

In later versions we can further optimize Flow to take advantage of the knowledge that a request is considered to be read-only (possibly speeding up persistence, security etc.).

#1

Updated by Gerrit Code Review about 8 years ago

  • Status changed from Accepted to Under Review

Patch set 2 for branch master has been pushed to the review server.
It is available at https://review.typo3.org/19989

#2

Updated by Gerrit Code Review about 8 years ago

Patch set 3 for branch master has been pushed to the review server.
It is available at https://review.typo3.org/19989

#3

Updated by Gerrit Code Review about 8 years ago

Patch set 4 for branch master has been pushed to the review server.
It is available at https://review.typo3.org/19989

#4

Updated by Gerrit Code Review about 8 years ago

Patch set 5 for branch master has been pushed to the review server.
It is available at https://review.typo3.org/19989

#5

Updated by Gerrit Code Review about 8 years ago

Patch set 6 for branch master has been pushed to the review server.
It is available at https://review.typo3.org/19989

#6

Updated by Gerrit Code Review about 8 years ago

Patch set 7 for branch master has been pushed to the review server.
It is available at https://review.typo3.org/19989

#7

Updated by Gerrit Code Review about 8 years ago

Patch set 8 for branch master has been pushed to the review server.
It is available at https://review.typo3.org/19989

#8

Updated by Gerrit Code Review about 8 years ago

Patch set 1 for branch 2.0 has been pushed to the review server.
It is available at https://review.typo3.org/20010

#9

Updated by Gerrit Code Review about 8 years ago

Patch set 9 for branch master has been pushed to the review server.
It is available at https://review.typo3.org/19989

#10

Updated by Gerrit Code Review about 8 years ago

Patch set 2 for branch 2.0 has been pushed to the review server.
It is available at https://review.typo3.org/20010

#11

Updated by Anonymous about 8 years ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100

Also available in: Atom PDF