but its impossible to hijack the session itself.
Why is this important when you have a whole in your site due to XSS, as you
assume above?
If some script get full access to your site through XSS, it can set any
header it wants such that your backend can't see the diference between a
legal
Hi,
we figured out some more advanced CSRF protection for our app to be
built. I wrote some short spec from the current perspective. If you
have some notes or enhancements please let me know.
thx, andi
GWT CSRF Security
=
There is a good explanation of different security leaks
On Apr 4, 8:56 am, pansen andi.ba...@googlemail.com wrote:
Hi,
Now we prevent anybody to steal our sessions, but we are also unable
to use
the sessionid as CSRF protection. Therefore its necessary to use a
different
token for this kind of protection. We call it ``X-Request-Token``,
which
Perhaps I'm missing something, but isn't this just security through
obscurity. You've raised the bar to some extent, but presumably
you're storing that security token in some sort of client variable,
can't the injected code then just access that same variable too once
the attacker figures
