<div dir="ltr">Also this would require us to rewrite only requests (in case of GET) which are sent to these urls be rewritten,  or we rewrite every url as having an extra parameter in the request url won't be harmful (but I guess that would be a very bad practise)<div>

<br></div><div>For this we need to pass the logic to js also, so that it identifies which request to rewrite, any simple idea on how to do this?</div></div><div class="gmail_extra"><br clear="all"><div><div dir="ltr"><div>

<br></div><font face="courier new, monospace" color="#444444">Minhaz, </font><div><font face="courier new, monospace" color="#444444"><a href="http://minhaz.cistoner.org" target="_blank">minhaz.cistoner.org</a> || <a href="http://cistoner.org" target="_blank">cistoner.org</a></font></div>

</div></div>
<br><br><div class="gmail_quote">On Mon, May 26, 2014 at 4:15 AM, Minhaz A V <span dir="ltr"><<a href="mailto:minhazav@gmail.com" target="_blank">minhazav@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">

<div dir="ltr">Yeah this is a better idea, rather than implementing the logic directly into the validation code, <div>we can provide a function which can be overridden by user defined function. In basic method we can provide mechanism that is in our scope i.e to map the current request url with all mentioned in array of urls to be validated.</div>


</div><div class="gmail_extra"><br clear="all"><div><div dir="ltr"><div><br></div><font face="courier new, monospace" color="#444444">Minhaz, </font><div><font face="courier new, monospace" color="#444444"><a href="http://minhaz.cistoner.org" target="_blank">minhaz.cistoner.org</a> || <a href="http://cistoner.org" target="_blank">cistoner.org</a></font></div>


</div></div><div><div class="h5">
<br><br><div class="gmail_quote">On Mon, May 26, 2014 at 4:05 AM, Abbas Naderi <span dir="ltr"><<a href="mailto:abiusx@owasp.org" target="_blank">abiusx@owasp.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">


<div style="word-wrap:break-word">What if the application uses dynamic URLs? What if it has so many URLs that need to be verified, and only one not to be verified?<div><br></div><div>We can expect the develoepr to create a function that receives a URL, and returns true if it needs to be CSRF protected and false otherwise, and then use that function to decide what to do.</div>


<div><br></div><div>A list can easily be implemented using that as well.</div><div><div>-A<br><div>
<span style="border-collapse:separate;color:rgb(0,0,0);font-family:Helvetica;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:-webkit-auto;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;border-spacing:0px"><div style="word-wrap:break-word">


<span style="border-collapse:separate;color:rgb(0,0,0);font-family:Helvetica;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:-webkit-auto;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;border-spacing:0px"><div style="word-wrap:break-word">


<span style="border-collapse:separate;color:rgb(0,0,0);font-family:Helvetica;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:-webkit-auto;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;border-spacing:0px"><div style="word-wrap:break-word">


<span style="border-collapse:separate;color:rgb(0,0,0);font-family:Helvetica;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:-webkit-auto;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;border-spacing:0px"><div style="word-wrap:break-word">


<span style="border-collapse:separate;color:rgb(0,0,0);font-family:Helvetica;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:-webkit-auto;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;border-spacing:0px"><div style="word-wrap:break-word">


<span style="border-collapse:separate;color:rgb(0,0,0);font-family:Helvetica;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:-webkit-auto;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;border-spacing:0px"><div style="word-wrap:break-word">


<span style="border-collapse:separate;color:rgb(0,0,0);font-family:Helvetica;font-style:normal;font-variant:normal;letter-spacing:normal;line-height:normal;text-align:-webkit-auto;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;border-spacing:0px"><div style="word-wrap:break-word">


<span style="border-collapse:separate;color:rgb(0,0,0);font-family:Helvetica;font-style:normal;font-variant:normal;letter-spacing:normal;line-height:normal;text-align:-webkit-auto;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;border-spacing:0px"><div style="word-wrap:break-word">


<span style="border-collapse:separate;color:rgb(0,0,0);font-family:Helvetica;font-style:normal;font-variant:normal;letter-spacing:normal;line-height:normal;text-align:-webkit-auto;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;border-spacing:0px"><div style="word-wrap:break-word">


<span style="border-collapse:separate;color:rgb(0,0,0);font-family:Helvetica;font-style:normal;font-variant:normal;letter-spacing:normal;line-height:normal;text-align:-webkit-auto;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;border-spacing:0px"><div style="word-wrap:break-word">


<div style="font-weight:normal"><div>______________________________________________________________</div><div><b>Notice:</b><b> </b>This message is <b>digitally signed</b>, its <b>source</b> and <b>integrity</b> are verifiable.</div>


<div>If you mail client does not support S/MIME verification, it will display a file (smime.p7s), which includes the X.509 certificate and the signature body.  Read more at <a href="http://abiusx.com/certified-e-mail-with-comodo-and-thunderbird/" target="_blank">Certified E-Mail with Comodo and Thunderbird</a> in <a href="http://AbiusX.com" target="_blank">AbiusX.com</a></div>


</div></div></span></div></span></div></span></div></span></div></span></div></span></div></span></div></span></div></span></div></span>
</div>
<br></div><div><div><div><div>On May 25, 2014, at 6:34 PM, Minhaz A V <<a href="mailto:minhazav@gmail.com" target="_blank">minhazav@gmail.com</a>> wrote:</div><br><blockquote type="cite"><div dir="ltr">Abbas, I couldn't get you?<div>


<br></div></div><div class="gmail_extra"><br clear="all"><div><div dir="ltr"><div><br></div><font face="courier new, monospace" color="#444444">Minhaz, </font><div><font face="courier new, monospace" color="#444444"><a href="http://minhaz.cistoner.org/" target="_blank">minhaz.cistoner.org</a> || <a href="http://cistoner.org/" target="_blank">cistoner.org</a></font></div>




</div></div>
<br><br><div class="gmail_quote">On Mon, May 26, 2014 at 3:59 AM, Abbas Naderi <span dir="ltr"><<a href="mailto:abiusx@owasp.org" target="_blank">abiusx@owasp.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">




<div style="word-wrap:break-word">A list is not the best idea, but a function that returns true or false and is implemented by the developer is a totally different story! <div>-A<br><div>
<span style="border-collapse:separate;font-family:Helvetica;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:-webkit-auto;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;border-spacing:0px"><div style="word-wrap:break-word">




<span style="border-collapse:separate;font-family:Helvetica;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:-webkit-auto;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;border-spacing:0px"><div style="word-wrap:break-word">




<span style="border-collapse:separate;font-family:Helvetica;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:-webkit-auto;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;border-spacing:0px"><div style="word-wrap:break-word">




<span style="border-collapse:separate;font-family:Helvetica;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:-webkit-auto;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;border-spacing:0px"><div style="word-wrap:break-word">




<span style="border-collapse:separate;font-family:Helvetica;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:-webkit-auto;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;border-spacing:0px"><div style="word-wrap:break-word">




<span style="border-collapse:separate;font-family:Helvetica;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:-webkit-auto;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;border-spacing:0px"><div style="word-wrap:break-word">




<span style="border-collapse:separate;font-family:Helvetica;font-style:normal;font-variant:normal;letter-spacing:normal;line-height:normal;text-align:-webkit-auto;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;border-spacing:0px"><div style="word-wrap:break-word">




<span style="border-collapse:separate;font-family:Helvetica;font-style:normal;font-variant:normal;letter-spacing:normal;line-height:normal;text-align:-webkit-auto;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;border-spacing:0px"><div style="word-wrap:break-word">




<span style="border-collapse:separate;font-family:Helvetica;font-style:normal;font-variant:normal;letter-spacing:normal;line-height:normal;text-align:-webkit-auto;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;border-spacing:0px"><div style="word-wrap:break-word">




<span style="border-collapse:separate;font-family:Helvetica;font-style:normal;font-variant:normal;letter-spacing:normal;line-height:normal;text-align:-webkit-auto;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;border-spacing:0px"><div style="word-wrap:break-word">




<div style="font-weight:normal"><div>______________________________________________________________</div><div><b>Notice:</b><b> </b>This message is <b>digitally signed</b>, its <b>source</b> and <b>integrity</b> are verifiable.</div>




<div>If you mail client does not support S/MIME verification, it will display a file (smime.p7s), which includes the X.509 certificate and the signature body.  Read more at <a href="http://abiusx.com/certified-e-mail-with-comodo-and-thunderbird/" target="_blank">Certified E-Mail with Comodo and Thunderbird</a> in <a href="http://abiusx.com/" target="_blank">AbiusX.com</a></div>




</div></div></span></div></span></div></span></div></span></div></span></div></span></div></span></div></span></div></span></div></span>
</div><div><div>
<br><div><div>On May 25, 2014, at 6:25 PM, Jim Manico <<a href="mailto:jim.manico@owasp.org" target="_blank">jim.manico@owasp.org</a>> wrote:</div><br><blockquote type="cite"><div dir="auto"><div>What if we keep a list of specific urls for which developer want to check for CSRF validation in GET requests, this would create no false positive or false negative. As GET requests to only certain urls can be vulnerable. If developer can identify this, we can map every host url in request, with list the developer has maintained and provide validation for those only. But this will complicate the logic to certain extend, but we can implement this!</div>





<div><br></div><div><br></div><div>Great idea, I like it.</div><div>- Jim</div><div><br></div><div><br></div><blockquote type="cite"><div dir="ltr">

<div><div><div dir="ltr"><div><br></div><font face="courier new, monospace" color="#444444">Minhaz, </font><div><font face="courier new, monospace" color="#444444"><a href="http://minhaz.cistoner.org/" target="_blank">minhaz.cistoner.org</a> || <a href="http://cistoner.org/" target="_blank">cistoner.org</a></font></div>







</div></div>
</div></div>
</blockquote><blockquote type="cite"><span>_______________________________________________</span><br><span>Owasp-csrfprotector mailing list</span><br><span><a href="mailto:Owasp-csrfprotector@lists.owasp.org" target="_blank">Owasp-csrfprotector@lists.owasp.org</a></span><br>





<span><a href="https://lists.owasp.org/mailman/listinfo/owasp-csrfprotector" target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-csrfprotector</a></span><br></blockquote></div>
_______________________________________________<br>Owasp-csrfprotector mailing list<br><a href="mailto:Owasp-csrfprotector@lists.owasp.org" target="_blank">Owasp-csrfprotector@lists.owasp.org</a><br><a href="https://lists.owasp.org/mailman/listinfo/owasp-csrfprotector" target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-csrfprotector</a><br>




</blockquote></div><br></div></div></div></div></blockquote></div><br></div>
</blockquote></div><br></div></div></div></div></blockquote></div><br></div></div></div>
</blockquote></div><br></div>