Hacker News new | ask | show | jobs
by sillysaurusx 885 days ago
Session cookies are generally not available to javascript. The latter is true though.
1 comments
None4U 885 days ago
Perhaps HttpOnly wasn't as prevalent back then?
link
matsemann 884 days ago
Yup, no CORS either, all protections relied on having proper CSRF-tokens, but with JS access one could read that token as well.

My "hack" was mostly pretty harmless. Just did some layout changes to make my profile cooler. But the door was wide open for anything.

link