Hi Matt<br><br>I just have some questions and some notes about what you say here.<br><br><div class="gmail_quote">On Nov 25, 2007 10:25 PM, Matt Wood <<a href="mailto:matt@woodzy.com">matt@woodzy.com</a>> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
I think this would be a poor addition. This code just prevents other<br>pages from linking directly to your resources. This does nothing to<br>protect anyone from preforming CSRF attacks from your site. The name<br>CSRFx is deceiving. It should really be named, "A simple script to add
<br>nonces to selected pages on your php application". It is also filled<br>with bugs with how it will add nonces to the output page.<br><br>I spent a few minutes glancing over the small amount of code this<br>project is composed of...
<br><br>This is why I don't like it...<br>1. This would add two queries to every request, one being a select<br>(not a big deal); one being an insert (a bigger deal). These queries<br>are also NOT cache-able, thus would also erase good cache entries in
<br>your DB's query caching mechanism.<br>2. Does not protect against CSRF attacks from your site, it infact<br>will release your "sensative" token to any actual CSRF attacks.</blockquote><div> </div><div>What do you mean by "from your site" ??
<br><br></div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><br>3. This will also likely confuse search engine crawlers.</blockquote><div>
<br>As Mark say, it just for admin pages, so there is no confusing for search engine.<br> </div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<br>4. This will also eliminate people linking directly to your site's<br>content. How can that be helpful.<br><br>Perhaps the only place this is really applicable is for any resources<br>your site hosts.<br><div class="Ih2E3d">
<br>On Nov 23, 2007 2:30 AM, Mark Wu <<a href="mailto:mark.wu@markplace.net">mark.wu@markplace.net</a>> wrote:<br>><br>><br></div><div><div></div><div class="Wj3C7c">> I know we discussion this issue before, but seems there is no soluton for
<br>> this.<br>><br>> This come the code from google code, maybe we can borrow the idea from this<br>> tool<br>><br>> <a href="http://code.google.com/p/csrfx/" target="_blank">http://code.google.com/p/csrfx/
</a><br>><br>> Mark<br></div></div><div><div></div><div class="Wj3C7c">> _______________________________________________<br>> pLog-svn mailing list<br>> <a href="mailto:pLog-svn@devel.lifetype.net">pLog-svn@devel.lifetype.net
</a><br>> <a href="http://limedaley.com/mailman/listinfo/plog-svn" target="_blank">http://limedaley.com/mailman/listinfo/plog-svn</a><br>><br>_______________________________________________<br>pLog-svn mailing list<br>
<a href="mailto:pLog-svn@devel.lifetype.net">pLog-svn@devel.lifetype.net</a><br><a href="http://limedaley.com/mailman/listinfo/plog-svn" target="_blank">http://limedaley.com/mailman/listinfo/plog-svn</a><br></div></div></blockquote>
</div><br>