|
|
|
|
|
|
by chrisseaton
2978 days ago
|
|
|
It's not about access control, it's about the fact that browsers are free to make speculative GET requests whenever they like, and they actively do to pre-fetch pages. His GET end-point was pre-fetched by his browser, activating the door. This would still happen even if there was a token or session associated. |
|
|
This is exactly the scenario a CSRF token is support to prevent. But I understand your point.