Jonathan Vanasco wrote:
> can't a lot of this be locked down with http referrers?

Until July of this year, checking the Referer was thought to be a pretty
good safeguard against CSRF, because an attacker would have to cause a
victim to send the right Referer, which isn't so easy.

Unfortunately, Amit Klein published some research in July that
demonstrated how to do this with Flash. So, if your users use clients
that support Flash (which most do), this is not a good safeguard.

Chris

-- 
Chris Shiflett
http://shiflett.org/

Reply via email to