- From: Adam Barth <w3c@adambarth.com>
- Date: Sun, 7 Jun 2009 16:29:52 -0700
- To: "Mark S. Miller" <erights@google.com>
- Cc: public-webapps <public-webapps@w3.org>
On Sun, Jun 7, 2009 at 4:18 PM, Mark S. Miller <erights@google.com> wrote: > On Sun, Jun 7, 2009 at 3:54 PM, Adam Barth <w3c@adambarth.com> wrote: >> >> GET really doesn't have anything to do with it. The attacker can >> issue POST requests (and really any other method) too. Note that the >> attacker can read the response and follow any links, etc. > > Recall that we were examining the GET hypothesis under the assumption that > POSTs were already protected by secret tokens against XSRFs. Right, but once the attacker has XSSed site A, the attacker learns the secret token necessary to issue the next request in the chain to site A regardless of the method. Adam
Received on Sunday, 7 June 2009 23:30:51 UTC