Hi Mathieu,
Csrf attack is easier on GET than POST request. While there are plans to implement csrf token within OFBiz (OFBIZ-10427), it is not completed yet. So allowing any GET request to change server data with url parameter values should preferably be done after csrf protection is implemented for GET method. Regards, James On 2019/11/06 19:24:23, Mathieu Lirzin <mathieu.lir...@nereide.fr> wrote: > Hello James, > > James Yong <jamesy...@apache.org> writes: > > > Understand the intent of checkSecureParameter function is to avoid > > sensitive information > > in the URL during POST method. A proposal is made to provide an > > attribute (i.e. allow-query-string-for-service-event) to allow url > > parameters / query string for certain request. Shouldn't the value for > > this attribute be false, instead of true, when no value is specified > > for the attribute? > > What would be required before discussing the details of the proposal is > a detailed scenario demonstrating that in the context of OFBiz event > handlers accepting query parameters from a HTTP request is less secure > than accepting only body parameters. > > -- > Mathieu Lirzin > GPG: F2A3 8D7E EB2B 6640 5761 070D 0ADE E100 9460 4D37 >
