https://bugzilla.wikimedia.org/show_bug.cgi?id=60835

--- Comment #5 from eaton....@gmail.com ---
The thing is, cross-domain XMLHttpRequests that receive
"Access-Control-Allow-Origin: *" responses are not allowed[1] to contain
authentication information (cookies or HTTP authentication), so they're always
anonymous, so there are no anti-CSRF tokens to be stolen!

If desired, it is possible to make credentials available in the request, by
setting xhr.withCredentials to true in the request, setting
"Access-Control-Allow-Credentials: true" in the response, and setting
"Access-Control-Allow-Origin" to something other than "*" in the response. By
default, though, the requests are anonymous.

If xhr.withCredentials is set to true and the server returns
"Access-Control-Allow-Origin: *", the browser refuses to allow the response to
be read, so - as far as I can tell - there is no danger of tokens being stolen.

[1]
https://developer.mozilla.org/en/docs/HTTP/Access_control_CORS#Requests_with_credentials

-- 
You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.
_______________________________________________
Wikibugs-l mailing list
Wikibugs-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l

Reply via email to