I think it would be a good idea to enable CSRF on all comment forms, even if anonymous users have the 'post comments' privilege.

I don't see a compelling reason not to add it.

Otherwise if a drupal site is configured with anonymous commenting it just leads to lots of spam (and there are plenty of legitimate reason not to hand out accounts to users of your site).

Comments

Status: Active » Closed (outdated)

Automatically closed because Drupal 6 is no longer supported. If the issue verifiably applies to later versions, please reopen with details and update the version.