- First commit to issue fork.
- Merge request !11231Issue #2575429: GET forms MUST NOT have CSRF tokens → (Open) created by bhanu951
From the DrupalCon Barcelona Hard Problems Meeting on performance:
Wim: GET forms shouldn't have CSRF tokens — https://www.drupal.org/node/2571995 →
Alex: I have a use case
Crell: CSRF token in the URL is a bad thing, just like a session ID in there is a bad thing
Crell: we should make it an opt-in thing (i.e. default GET forms to #token = FALSE)
Alex: Oh, now I realized that I actually don't have a use case, we found that to be wrong.
Catch: we should verify that it actually offers any protection, if it’s not, then we should not even make it opt-in, we should make it impossible, and document it
So, step 1 is #2571995: GET forms shouldn't have CSRF tokens by default → , this is step 2.
Prevent GET forms from ever having a CSRF token.
None.
None.
None.
Needs work
11.0 🔥
forms system
Not all content is available!
It's likely this issue predates Contrib.social: some issue and comment data are missing.