You defeat the purpose of CSRF by going outside the domain to use thescript. CSRF attacks go after already applied authentication by using it against the user (using their security auth to do something malicious ).
I wasn't referring to CSRF. I was showing how the shopping cart/ MySpace example wasn't a valid reason against using REQUEST as the hacker can fake-post to the shopping cart just as east as he can fake- get to the shopping cart, both without user interaction.
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ UPHPU mailing list [email protected] http://uphpu.org/mailman/listinfo/uphpu IRC: #uphpu on irc.freenode.net
