|
|
|
|
|
|
by dagobah
3141 days ago
|
|
|
I think https://en.wikipedia.org/wiki/Cross-site_request_forgery#Coo... is flawed too because "Access-Control-Allow-Origin: *" doesn't let browsers send cookies with the request, so any of the CSRF prevention methods shouldn't be broken by it. I was just using "Access-Control-Allow-Origin: malware.com" as an example of a worst case scenario where I still don't think the cookie-to-header method is exploitable, unless I'm missing something. The articles don't give examples or link to sources, so I'm guessing both are slightly wrong. I could try to edit them, but wanted to make sure I wasn't wrong first. |
|
|