[Catalyst] Re: how to confirm before deleteing
Carl Johnstone
catalyst at fadetoblack.me.uk
Thu Jan 22 11:40:48 GMT 2009
Aristotle Pagaltzis wrote:
> <img src="http://yourapp.example.org/addressbook/delete/all">
>
> into a page they control and then send a link to that page to
> your users. If you allow destructive actions on GET, you have
> just allowed for your users to be screwed over through no fault
> of their own.
Note that using POST rather than GET doesn't protect you from this specific
problem - it's still possible to form a CSRF request with a POST action.
Carl
More information about the Catalyst
mailing list