Y
Hacker News
new
|
ask
|
show
|
jobs
by
nicolaslem
2538 days ago
Isn't that vulnerable to CSRF? What if a page linked on the front of HN makes a request collapsing every single comment?
2 comments
slg
2538 days ago
One of the top posts in the history of HN was a link that upvoted itself due to this issue.
link
thepete2
2538 days ago
Yes, but you need a token to log out. For collapsing comments it should work though
link
thepete2
2538 days ago
correction: same origin policy, so it doesn't work
link
lol768
2537 days ago
SOP isn't relevant here - it relates generally to _reading_ content from another origin.
What is relevant here is whether the cookies are SameSite and/or whether a token is required.
link