- Issue created by @nico.b
I originally reported this to the security team, but they cleared it to be discussed in public.
1. Sensitive information within URLs may be logged in various locations, including the user's browser, the web server, and any forward or reverse proxy servers between the two endpoints. URLs may also be displayed on-screen, bookmarked or emailed around by users. They may be disclosed to third parties via the Referer header when any off-site links are followed. Placing session tokens into the URL increases the risk that they will be captured by an attacker. Therefore, it is also an OWASP recommendation not to place CSRF tokens in the URL. If an attacker is able to intercept the CSRF token of the user, the attacker is able to conduct a CSRF attack on the specific user for the specific protected action.
2. GET requests should (by specification) never be used for server-side state-changing actions in the first place. Nevertheless, Core and many contributed modules do so, although even Drupal's own documentation β stated that this is bad practice in the past.
CSRF tokens in GET requests are therefore not only somewhat insecure (1.), but shouldn't also never be necessary (2.) if strictly following the HTTP specification and secure coding guidelines.
Therefore, it is in my opinion questionable whether this core feature should even exist in its current form since it encourages the usage of GET requests for server-side state-changing actions. Currently, the feature only seems to exist to make a bad practice a bit (or much) "less bad".
tbd
Active
11.0 π₯