--- Ed Lazor <[EMAIL PROTECTED]> wrote: > Wouldn't it work to just make the script spit out a mime type > header and a small (1x1) image when it's done to satisfy the > browser's mime type requirements?
Definitely, but most CSRF attacks are meant to spoof a request from the legitimate user to some Web site where he/she already has privilege. Thus, the receiving site is usually as much the victim as the user. I'm not sure if that makes any sense... :-) Chris ===== Chris Shiflett - http://shiflett.org/ PHP Security - O'Reilly Coming Fall 2004 HTTP Developer's Handbook - Sams http://httphandbook.org/ PHP Community Site http://phpcommunity.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
