On Thu, Oct 22, 2009 at 8:58 AM, Mike Ter Louw <[email protected]> wrote: > I've added a CSRF straw-man: > > https://wiki.mozilla.org/Security/CSP/CSRFModule > > This page borrows liberally from XSSModule. Comments are welcome!
Two comments: 1) The attacker goal is very syntactic. It would be better to explain what the attacker is trying to achieve instead of how we imagine the attack taking place. 2) It seems like an attacker can easily circumvent this module by submitting a form to attacker.com and then generating the forged request (which will be sent with cookies because attacker.com doesn't enables the anti-csrf directive). Adam _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
