On Thu, Oct 22, 2009 at 9:52 AM, Mike Ter Louw <[email protected]> wrote: > I agree. It seems anti-csrf (as currently defined) would be most beneficial > for defending against CSRF attacks that don't require any user action beyond > simply viewing the page (e.g., <img src="attack">).
Maybe we should focus the module on this threat more specifically. My understanding is that this is a big source of pain for folks who operate forums, especially for user-supplied images that point back to the forum itself. What if the directive was something like "cookieless-images" and affected all images, regardless of where they were loaded from? Adam _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
