13.6.2 move into V50 (if not merged into V50.4.1) #2492
Labels
1) Discussion ongoing
Issue is opened and assigned but no clear proposal yet
4a) Waiting for another
This issue is waiting for another issue to be resolved
V13
V50
Group issues related to Web Frontend
_5.0 - prep
This needs to be addressed to prepare 5.0
Comments
elarlang
added
1) Discussion ongoing
|
So the question is, is CSRF the only security risk which this requirement addresses? In principle, there is a general assumption that HEAD, OPTIONS, TRACE or GET verb do not modify any backend data structure or perform any state-changing actions. However, I am not sure there is a specific security risk outside of CSRF. This requirement seems to have been added as a result of the discussion in #672 which included people such as @Sjord, @VincentDS, and @Someniak. Based on that discussion I think the only risk is CSRF and therefore I propose that this should be merged into the CSRF requirement (currently being worked on in #2481). I am open to other points of view though. |
elarlang
added
the
4a) Waiting for another
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Current requirement 13.6.2:
I think this is browser-based attack scenario specific and a pre-condition to have defense against (so-callsd) CSRF attacks in place.
The option is to merge into to the "csrf" requirement or move to the same section.
Related comment and issue: #2481 (comment)
The text was updated successfully, but these errors were encountered: