Improper use of "idempotent"
marfire opened this issue · 2 comments
marfire commented
One of your headings reads GET is always idempotent. Although that is certainly good practice in general, it doesn't have anything to do with CSRF. A GET request that deleted data would be idempotent, but still a major CSRF vulnerability.
I suggest GET should not have side effects, or something like that.
marfire commented
Here's the reference I was looking for: http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html.
What matters here is safety, not idempotence.
dougwilson commented
Correct, there are two types of methods: impotent and safe. The CSRF docs should reference safe, rather than impotent.