|
|
|
|
|
|
by metafunctor
2733 days ago
|
|
|
We are talking about XSS, where an attacker can run their JS code on your page. If the attacker can run JS on your page, they can already do whatever your signed-in user can do. No need to read the cookie to make authenticated requests, just like your own code doesn’t need to read the cookie. |
|
|