David's Wiki

Cross-site request forgery: Difference between revisions

Page Discussion

Cross-site request forgery (view source)

Revision as of 20:12, 23 August 2020

69 bytes added ,  23 August 2020
→‎Defense Explanation
Line 29: Line 29:
#* Due to same-origin policy, other websites cannot see the cookies for <code>shopping.com</code>.
#* Due to same-origin policy, other websites cannot see the cookies for <code>shopping.com</code>.


Note that other origins can read hidden form fields and can send custom headers.   
Note that other origins may be able to read hidden form fields and can send custom headers if <code>Access-Control-Allow-Origin</code> is set incorrectly.   
This it is important for the backend to check the XSRF key against one that other websites cannot read.
It is important for the backend to check the XSRF key against one that other websites cannot read.


If you send the XSRF token in a cookie and a hidden form field, this will not require any JS since the browser will automatically repeat the hidden form field.   
If you send the XSRF token in a cookie and a hidden form field, this will not require any JS since the browser will automatically repeat the hidden form field.   
Retrieved from "https://wiki.davidl.me/view/Special:MobileDiff/4196"