Hi Florent,
I have to admit that I can't recall right know why there is a CSRF
check.
But the fact that I spent the effort implementing it, makes me believe
that there was a good enough reason.
I'll keep thinking about it...
- Florian
Hi Florian,
Could you explain the reasoning behind the fact that CsrfManager#check
verifies the token in the request parameter if this is a GET content
request?
I don't see the point in doing any CSRF check for a GET... In other
words,
I don't see an attack model that would make this necessary.
Thanks,
Florent
