Reputation: 334
CSRF protection for GET requests
I have a RESTful API that I interact with via a website I have made. I have POST, DELETE, PUT, etc. requests adequately protected, so attackers cannot make any changes to the database via CSRF.
However, if someone uses CSRF to make a GET request to the website, I'm worried that they may be able to view the response, which could reveal the sensitive data that is stored in the database.
Is it possible for them to view the response to a cross-site GET request, or is this definitely, completely taken care of by Javascript's Same Origin Policy?
Upvotes: 2
Views: 80
Answers (1)
Reputation: 943220
is this definitely, completely taken care of by Javascript's Same Origin Policy?
Yes. That's the point of the Same Origin Policy.
To be vulnerable you would need to either:
- Punch a hole in the SOP using something like JSONP or CORS or
- Not perform user authentication so they could access the data without involving an authenticated user's browser as a middleman
Upvotes: 2
Related Questions
- Preventing CSRF while using CORS?
- CSRF protection in angular js application with cross domain
- How to implement CSRF protection for GET requests in Express?
- A confusion about same origin policy(sop) and csrf protection
- Preventing CSRF with a cross-domain JavaScript call
- CSRF protection with javascript?
- CSRF Protection in ExpressJS
- CSRF prevention for GET requests
- CSRF protection of GET links
- how to make a cross domain request that isnt forgeable