|
|
|
|
|
|
by ascorbic
3780 days ago
|
|
|
No, CSRF isn't about pulling scripts etc from another site, it's tricking the browser into making malicious HTTP requests. So, it's not trying to grab facebook .com/someinterestingdata.json, it's trying to trick your browser into performing actions on the target domain by making it perform GET or POST requests such as sending Facebook spam. It doesn't matter what the response is, it's just interested in the action. A while(1) won't do much if it's inside an img tag or hidden iframe rather than a script tag. |
|
|