Detect (and block) a GET request hidden in an image

Question

It came to my attention a while ago that some people were posting "images" on my forums, which, when viewed by a logged-in user, forced them to perform actions on the site they may not want to. The actions in question are normally performed by a simple GET request to the relevant page.

This has been patched by requiring all non-trivial changes to be POST requests, but I was left wondering about this:

Is it possible to detect when a browser is expecting an image, and block a PHP script from being run if so?

My initial attempt was:

<?php
    if( isset($_SERVER['HTTP_ACCEPT']) && $_SERVER['HTTP_ACCEPT'] != ""
     && stripos($_SERVER['HTTP_ACCEPT'],"image/")) die("Insert error message here");
?>

However, while it worked perfectly in IE and Firefox, Google Chrome (for some reason) includes "image/png" as part of its Accept header, causing users to be unable to load any pages that were "protected".

So clearly this idea works in theory, but in practice it's unreliable. Is there a reliable method to this?

Answer 1

As far as I understood your question, you'd like to protect yourself against CSRF. On wikipedia, you'll find some ideas.

If you want to protect yourself against CSRF, your suggested way seems to be not useful... According to my opinion.

Answer 2

This has been patched by requiring all non-trivial changes to be POST requests

Good. The HTTP specification states that GET requests shouldn't cause non-trivial changes.

Is it possible to detect when a browser is expecting an image, and block a PHP script from being run if so?

No. You just need to stop people adding content to your site that triggers POST requests.

To stop people adding content to other sites that causes browsers to automatically make POST requests to your site, implement CSRF protection.