On Thu, Mar 19, 2009 at 9:53 AM, Thomas Guettler <[email protected]> wrote: > > The CSRF middleware inserts a hidden input element in every form. > > Since GET Requests are mostly readonly, the bad guy needs a POST > request to do some evil. > > If the bad guy can make a POST request > with the user's browser, the bad guy might make a GET request with javascript > first , read the hidden input element and use the value for the evil > POST request.
the read-stuff-with-javascript will not work, because ajax requests cannot read from a different domain. also, please note that even if GET requests are mostly readonly, if they return JSON, they can be still read by a CSRF attack, so those have to be secured ( usually be verifying the special header set by ajax requests ). gabor --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/django-developers?hl=en -~----------~----~----~----~------~----~------~--~---
