|
|
|
|
|
|
by Muromec
474 days ago
|
|
|
You do rely on browsers to isolate contexts. The problem with CSRF is that data leaks from one privileged context to another (think of reading from kernel memory of another vm on the same host on AWS). If you don't have the browser, you don't have the user session to abuse in the first place. The whole thing boils down to this: - browser has two tabs -- one with authenticated session to web banking, another with your bad app - you as a bad app can ask browser to make an http request to the bank API and the browser will not just happily do it, but also attach the cookie from the authenticated session the user has opened in the other tab. That's CSRF and it's not even a bug - you however can't as a bad app read the response unless the bank API tells browser you are allowed to, which is what CORS is for. maybe you have an integration with them or something Browser is holding both contexts and is there to enforce what data can cross the domain boundary. No browser, no problem |
|
|