Re: CSRF vulnerability in Tyler's GuestXHR protocol?

>>
>> Some parts of the protocol are not clear to me. Can you please clarify
>> the following :
>> 1> In msg 1, what script context is the browser running in ? Site A or
>> Site B ? (in other words who initiates the whole protocol ?)
>
> Server A, or a bookmark.

Wasn't Maciej's original scenario that of a user going to Site B (an
event's site) and adding stuff to his calendar at A ? In such a
scenario, the complete protocol should ideally start with B.

Thanks
devdatta

Received on Saturday, 14 November 2009 02:45:57 UTC