XSS security issue on delete links

[almet]

Delete should use POST, not GET (For members, expenses and projects), to avoid XSS attacks.

[fredericsureau]

Can you explain why using POST instead of GET would avoid XSS attacks?

[almet]

I thought that the browsers prevented one website to do POSTs from other websites and that it wasn't the case with GET calls (because there is no reason to do so).

Using the HTTP specified usage for GET and POST, in which GET requests never have a permanent effect, is good practice but is not sufficient to prevent CSRF. Attackers can write JavaScript or ActionScript that invisibly submits a POST form to the target domain. However, filtering out unexpected GETs prevents some particular attacks, such as cross-site attacks using malicious image URLs or link addresses and cross-site information leakage through script elements (JavaScript hijacking); it also prevents (non-security-related) problems with aggressive web crawlers and link prefetching.

http://en.wikipedia.org/wiki/Cross-site_request_forgery#Prevention (a lot of useful information in there)

So I guess we can do a POST and generate unique tokens valid for only one call, and pass it along with the form we send.

[fredericsureau]

Okay for that