Aristotle Pagaltzis wrote:
* Peter Karman <[EMAIL PROTECTED]> [2008-01-23 03:50]:In my apps, I do server-side auth checks to verify that users can't act on data they should not have access to.Peter, meet XSRF. XSRF, meet Peter. :-) My point with `<img src="/foo/delete">` was that an attacker tries to get an authenticated and authorised user to visit a page which contains that tag. Or maybe an authenticated and authorised user has software like the Google Web Accelerator installed. Regards,
But surely the same is true for POST as well using a form/javascript. So what does that leave?
signature.asc
Description: OpenPGP digital signature
_______________________________________________ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/
