[- all but Adam and pubic-webapps] On Sun, Jun 7, 2009 at 3:24 PM, Adam Barth <[email protected]> wrote:
> On Sun, Jun 7, 2009 at 2:53 PM, Mark S. Miller <[email protected]> wrote: > > If servers at A don't freely hand out such tokens in response to > guessable GET > > requests, then the secret token prevents XSS-at-A-attacker's XSRF against > B > > from abusing the authority that B associates with A. > > I don't see what GET has to do with it. In any case, the XSS attacker > can always enter the site at the home page (e.g., http://example.com/) > and follow whatever obscure links exist until it reaches the page that > contains the token.[...] If the starting point "http://example.com/"; is guessable, then the XSS attacker thereby succeeds at obtaining the token only if the server at example.com hands out the token in response to a guessable sequence of GET requests. If the starting point is not guessable, then I don't understand your example. -- Cheers, --MarkM
