Y
Hacker News
new
|
ask
|
show
|
jobs
by
SahAssar
3076 days ago
The vulun is in the fact that the program blindly trusts incoming HTTP based only on a nonce being in both the body and a header.
1 comments
benchaney
3076 days ago
No, the "vuln" is assuming that only users on the machine can access localhost. This is a completely reasonable assumption, and it is on the browsers for invalidating it.
link