Philip White  

I've been working on the login flow for a simple web program. In the process, I learned about two things:

1. Forms cannot submit DELETE or PUT requests.
2. How Cross-Site Request Forgery works - owasp.org/www-community/attack

Synthesizing these two pieces of knowledge, would it not be true that making your whole API use DELETE and PUT would obviate the need for CSRF tokens? The same-origin policy would prevent anyone but the page itself from making DELETE and PUT requests via JS, which is the only way to use those two methods.

To be clear, I think this is an entirely stupid idea, but it's intriguing nonetheless.

1
Zach "earboxer" DeCook
Follow

@philipwhite
Forms cannot **yet** submit DELETE or PUT requests. It would be much safer to just use an arbitrary verb, like `e880ccc6-d32f-4eaa-b850-2e513eb7b97b-ing`.

· Fedilab · 0 · 0 · 1
Sign in to participate in the conversation
Librem Social

Librem Social is an opt-in public network. Messages are shared under Creative Commons BY-SA 4.0 license terms. Policy.

Stay safe. Please abide by our code of conduct.

(Source code)

image/svg+xml Librem Chat image/svg+xml