|
|
|
|
|
|
by jokethrowaway
910 days ago
|
|
|
Do you mean CSRF?
I don't see upvote links for some reason so I can't debug - but does auth contains a CSRF token? If not you could craft a page which upvote posts for the current visitor (if they're logged in HN) You could mitigate it with server side checks (or maybe some new browser tech I don't know about?) but I think the synchroniser token pattern is still the current solution. |
|
|
Yes, it looks like it does. Also, the vote auth param is different for every link.