« Previous | Next » 

Revision e1ca2a73


Added by Robert Lemke over 8 years ago

[!!!][TASK] CSRF protection for "safe" request methods

This change set adjusts URL related view helpers in Fluid to
an important behavior for Flow applications: HTTP request
methods which are, by definition, considered to be "safe"
(that is, "read-only") are now treated as such.

The Fluid Link and Uri view helpers will not generate CSRF tokens
anymore, since we assume that you are using them for GET requests.
The FormViewHelper however, will enable link protection if the
form does not have method="get" set.

Please adjust your applications to cleanly observe this principle since
more optimizations in this direction are planned for later versions of
TYPO3 Flow.

Related: #47252
Releases: 2.0, master
Change-Id: Ic600a9e591d047ca9bbd39d352c4f337bcfaa6a9

  • added
  • modified
  • copied
  • renamed
  • deleted