Hi Jon, I have a question.
> With the current CSRF protection, the following will happen: > > * Alice is logged in to Facebook > * Alice visits badsite.com > * Mallory, who owns badsite.com has added some code into the page which > makes a request to facebook.com and posts on Alice's wall. > * Alice visits badsite.com and without her intending it to be, a request > is made to post on her wall > * Facebook detects that there is no CSRF token associated with the > request, and so logs her out by resetting the session > * Then, based on the authorisation rules within the application, > Facebook denies to post on the wall, because the user is not logged in In my understanding, Alice gets logged out from Facebook unintentionally by visiting badsite.com. I think this is an ugly side effect. Am I wrong? -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en.
