Comment by chrisseaton

7 years ago

It's not about access control, it's about the fact that browsers are free to make speculative GET requests whenever they like, and they actively do to pre-fetch pages. His GET end-point was pre-fetched by his browser, activating the door. This would still happen even if there was a token or session associated.

2 comments

chrisseaton

reza_n 7 years ago

> This would still happen even if there was a token or session associated.

This is exactly the scenario a CSRF token is support to prevent. But I understand your point.

jimktrains2 7 years ago

Not just browsers, but any service.