#8127: CSRF + AJAX
---------------------------------------------+------------------------------
Reporter: xlax | Owner: nobody
Status: new | Milestone:
Component: Contrib apps | Version: SVN
Resolution: | Keywords: CSRF AJAX
Stage: Design decision needed | Has_patch: 1
Needs_docs: 0 | Needs_tests: 1
Needs_better_patch: 0 |
---------------------------------------------+------------------------------
Comment (by jmillikin):
I found a SecurityFocus article[1] that mentions that Adobe Flash is
capable of both cross-site requests and setting arbitrary HTTP headers. If
this is true, then relying on the X-Requested-With header will allow
hostile cross-site requests if a user visits a malicious site.
Is this concern accurate, or does Flash enforce the same cross-site rules
as the XMLHttpRequest object?
[1] http://www.securityfocus.com/archive/1/441014
--
Ticket URL: <http://code.djangoproject.com/ticket/8127#comment:12>
Django <http://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/django-updates?hl=en
-~----------~----~----~----~------~----~------~--~---
