On Mon, Dec 8, 2014 at 11:44 AM, Carl Meyer <[email protected]> wrote: > Hi Larry, > > On 12/08/2014 07:14 AM, Larry Martell wrote: >> On Sat, Dec 6, 2014 at 1:41 AM, James Schneider <[email protected]> >> wrote: >>> Check out Collin's email from earlier, it has an example using curl but you >>> should be able to adapt your web request with the cookie and POST values via >>> the python script. The cookie and POST values for the CSRF token can be >>> anything, they just need to match. >>> >>> https://groups.google.com/d/msgid/django-users/fb6e54a8-c9e7-45f7-882f-bc05c8ee90d2%40googlegroups.com?utm_medium=email&utm_source=footer >> >> Thanks. This is very simple. So simple I didn't even think of this. >> But then can't anyone override the CSRF protection very easily? > > This is explained in the link to a previous thread that I posted above. > > The CSRF protection works because malicious JS can't control the value > of the CSRF cookie submitted by your browser.
Right, but anyone can write a script to bypass the CSRF protection. I was surprised that it would be so easy to do that. I guess that's not what CSRF was designed to protect against. -- You received this message because you are subscribed to the Google Groups "Django users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/django-users. To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/CACwCsY6DRWCohZcPWcNP9%2B_0CCzk4J1EZi77POPo1ttwBYvd1w%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
