- From: Mark S. Miller <erights@google.com>
- Date: Sun, 7 Jun 2009 18:24:09 -0700
- To: Adam Barth <w3c@adambarth.com>
- Cc: public-webapps <public-webapps@w3.org>
Received on Monday, 8 June 2009 01:33:50 UTC
On Sun, Jun 7, 2009 at 4:29 PM, Adam Barth <w3c@adambarth.com> wrote: > > Right, but once the attacker has XSSed site A, the attacker learns the > secret token necessary to issue the next request in the chain to site > A regardless of the method. > Recall that this is in response to On Sun, Jun 7, 2009 at 2:53 PM, Mark S. Miller <erights@google.com> wrote: > If servers at A don't freely hand out such tokens in response to guessable > GET requests, So, if servers at A don't do this, how does the attacker, having XSSes site A, learn the secret token necessary to issue the next request? -- Cheers, --MarkM
Received on Monday, 8 June 2009 01:33:50 UTC