[Catalyst] Re: how to confirm before deleteing

Carl Johnstone catalyst at fadetoblack.me.uk
Thu Jan 22 11:40:48 GMT 2009

Aristotle Pagaltzis wrote:
>     <img src="http://yourapp.example.org/addressbook/delete/all">
> into a page they control and then send a link to that page to
> your users. If you allow destructive actions on GET, you have
> just allowed for your users to be screwed over through no fault
> of their own.

Note that using POST rather than GET doesn't protect you from this specific 
problem - it's still possible to form a CSRF request with a POST action.


More information about the Catalyst mailing list