On Mon, Dec 14, 2009 at 6:14 PM, Jonas Sicking <[email protected]> wrote: > For what it's worth, I'm not sure that "eliminating" is correct here. > With UM, I can certainly see people doing things like using a wrapping > library for all UM requests (very commonly done with XHR today), and > then letting that library add the security token to the request.
There are real examples of this exact vulnerably occurring in CSRF defenses based on secret tokens. There's no silver bullet for security. Adam
