--- Comment #5 from ---
The thing is, cross-domain XMLHttpRequests that receive
"Access-Control-Allow-Origin: *" responses are not allowed[1] to contain
authentication information (cookies or HTTP authentication), so they're always
anonymous, so there are no anti-CSRF tokens to be stolen!

If desired, it is possible to make credentials available in the request, by
setting xhr.withCredentials to true in the request, setting
"Access-Control-Allow-Credentials: true" in the response, and setting
"Access-Control-Allow-Origin" to something other than "*" in the response. By
default, though, the requests are anonymous.

If xhr.withCredentials is set to true and the server returns
"Access-Control-Allow-Origin: *", the browser refuses to allow the response to
be read, so - as far as I can tell - there is no danger of tokens being stolen.


You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.
Wikibugs-l mailing list

Reply via email to