Y
Hacker News
new
|
ask
|
show
|
jobs
by
paulhodge
306 days ago
That’s bad because visiting an evil site can easily trick your browser into performing one of those requests using your own credentials. CORS doesn’t stop the backend state effect from happening.
1 comments
MajesticHobo2
305 days ago
That's exactly why I don't agree that GETs should be broadly exempted from CSRF protections. I'm not talking about CORS at all.
link