Protection will cover both actions, signals and components and will enabled by annotation for the appropriate method or for whole presenter. For individual components, it will be activated by annotations in similar way, how are defined persistent components now.
(Implementation should be general, so the same API can be used in future for authorization etc.)
The principle of protection:
Protected links will be rendered with HTML attribute
__csrf in addition. The default implementation will not
use jQuery and will be compatible with IE8+.
Token will be checked in RequestFactory, as mentioned in this RFC.
Presenter will only check if HTTP method, for the protected links, is other than GET / HEAD. Otherwise will throw 403.
Protected links can be sent via AJAX usign methods POST/PUT/DELETE with token
in HTTP header
X-CSRF-Token. This means that RequestFactory in
addition to POST field checking will check header
(if it matches token in cookie).
- Filip Procházka
- Moderator | 4668
Makes perfect sense to me.