|
|
|
|
|
|
by c4urself
4714 days ago
|
|
|
You're misunderstanding how CSRF works. Say a user is logged in to the site JoeNotProtectedByCSRF.tld with a session cookie or similar authentication token. SpammySite.tld comes along with a form to POST some change some value on JoeNotProtectedByCSRF.tld such as a password field. Because your browser always sends along the cookies to the end domain, your session cookie will be abused. With a check against a unique-to-the-user CSRF token as a hidden input on the form this doesn't happen. |
|
|