Y
Hacker News
new
|
ask
|
show
|
jobs
by
eurleif
5188 days ago
Why shouldn't you trust user-provided data to secure the same user's data? The potential attack is someone forging their own referer header in order to attack themself.
1 comments
sdevlin
5188 days ago
The referer header can easily be forged. The whole point of a CSRF attack is to turn a user's credentials against him.
link
eurleif
5188 days ago
How do you forge the referer header as a third-party site?
link
sdevlin
5188 days ago
Ha, I'm wrong. I thought you could set the referer with setRequestHeader on an XHR. Mea maxima culpa.
link