On Sun, Oct 12, 2014 at 12:17 AM, Danny Yoo <[email protected]> wrote:
> Huh. Wow. That actually worked? > > :P > > --- > > Frankly speaking though, this sounds like a horrible XSRF-style attack > in waiting, if I understand what has just happened. > (http://en.wikipedia.org/wiki/Cross-site_request_forgery) > > Usually, requests to do mutation operations are protected so that, in > order to make the request, you have to have some knowledge in the > request that's specific to the user, and not public knowledge. The > URL you've described is missing this basic information, an "XSRF > token" as its commonly known (though I would have assumed it would be > called an "anti-XSRF" token, but oh well.) > > I'm not sure how your web browser is handling the 'steam://' URL > class, but I would very much hope that, in the interface between the > browser and your Steam client, it's doing something to mitigate what > looks like an XSRF exploit. > Well, the person needs to be logged in the browser (maybe cookies are set for that), when I trigger that in the browser it automatically opens the Steam software installed in the computer and add the person. I don't know if it's a flaw, but it's very useful for what I'm doing. If you go to ANY profile on Steam (after logged in), let's say ' http://steamcommunity.com/profiles/<ID_HERE>', you can add the person, that simple.
_______________________________________________ Tutor maillist - [email protected] To unsubscribe or change subscription options: https://mail.python.org/mailman/listinfo/tutor
