I've been working on the login flow for a simple web program. In the process, I learned about two things:

1. Forms cannot submit DELETE or PUT requests.
2. How Cross-Site Request Forgery works -

Synthesizing these two pieces of knowledge, would it not be true that making your whole API use DELETE and PUT would obviate the need for CSRF tokens? The same-origin policy would prevent anyone but the page itself from making DELETE and PUT requests via JS, which is the only way to use those two methods.

To be clear, I think this is an entirely stupid idea, but it's intriguing nonetheless.

Forms cannot **yet** submit DELETE or PUT requests. It would be much safer to just use an arbitrary verb, like `e880ccc6-d32f-4eaa-b850-2e513eb7b97b-ing`.

Sign in to participate in the conversation
Functional Café

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!