|
|
|
|
|
|
by spookylukey
3669 days ago
|
|
|
The current spec has a serious flaw for CSRF prevention - it doesn't include the protocol in the definition of site, only the domain. This allows a MITM'd http page to CSRF a https site. This same flaw is in cookies themselves - a cookie set over https is used for http requests. |
|
|