On Sun, Jun 7, 2009 at 4:18 PM, Mark S. Miller <erights@google.com> wrote: > On Sun, Jun 7, 2009 at 3:54 PM, Adam Barth <w3c@adambarth.com> wrote: >> >> GET really doesn't have anything to do with it. The attacker can >> issue POST requests (and really any other method) too. Note that the >> attacker can read the response and follow any links, etc. > > Recall that we were examining the GET hypothesis under the assumption that > POSTs were already protected by secret tokens against XSRFs. Right, but once the attacker has XSSed site A, the attacker learns the secret token necessary to issue the next request in the chain to site A regardless of the method. AdamReceived on Sunday, 7 June 2009 23:30:51 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 7 December 2009 10:43:11 GMT