If I set actions for logged in users to be performed through HTTP methods other than GET or POST, then Javascript HTTP requests respecting the Same Origin Policy (SOP) or Cross-Origin Resource Sharing (CORS) is the only way to perform those actions with credentials isn't it? (Since it seems to not be possible with basic HTML.)
Asked
Active
Viewed 1,149 times
2
David
- 15,939
- 3
- 50
- 73
user2284570
- 1,412
- 1
- 14
- 33
-
Of course, reading server response isn’t required for performing the actions. – user2284570 Jan 27 '18 at 18:14
-
3Possible duplicate of [Exploiting CSRF PUT request](https://security.stackexchange.com/questions/106105/exploiting-csrf-put-request), [GET and POST request vulnerable to CSRF attack?](https://security.stackexchange.com/questions/90023/get-and-post-request-vulnerable-to-csrf-attack), [How does the same-origin-policy protect against PUT/DELETE CSRF?](https://security.stackexchange.com/questions/119560/how-does-the-same-origin-policy-protect-against-put-delete-csrf). – Steffen Ullrich Jan 27 '18 at 18:23
1 Answers
2
In modern browsers, requests with methods other than HEAD, GET and POST can't be sent cross-origin without a CORS permission.
If your application verifies that the request method is, say, PUT, an attacker can't forge that request in a CSRF attack, unless you explicitly give permission, e.g. with an Access-Control-Allow-Methods: PUT header.
See also: Examples of access control scenarios
Arminius
- 44,242
- 14
- 143
- 138
-
[Even with Flash Player](https://stackoverflow.com/a/12650149/2284570) ? – user2284570 Feb 18 '19 at 23:18