Yes, but it prevents a third-party site from doing something like this (yes, a variation on this really happened)
<form action="http://twitter.com/statuses/"; method="post" id="hax"> <input type="hidden" name="status[text]" value="OMG hax!!" /> </form> <script>$('hax').submit();</script> On Thu, Sep 18, 2008 at 1:08 PM, pankaj <[EMAIL PROTECTED]> wrote: > > To prevent XSS attack rails generates an authenticity_token for every > form. > This token has to be present in with every request other then 'ge't. > I have noticed that this token is same accross the application..i > think for a particular session.. > This token can be extracted by javascript and a new create/update/ > delete request can be successfully executed. > Then authentication_token is of no use. > Correct me if I am wrong? > > Regards, > Pankaj > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To post to this group, send email to rubyonrails-core@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en -~----------~----~----~----~------~----~------~--~---
