On Apr 24, 2014 7:39 AM, "Anders Wegge" <awe...@gmail.com> wrote: > > In the classic meaning of CSRF, you are right. But if javascript from a malicious site can get access to all cookies in the browser, it would be trivially simple to construct a XmlHttpRequest, that contain the correct CSRF token. While most browsers are sandboxing data, I do not want to rely on that.
At that point the browser is totally broken. I would think hard about whether this is really in your threat model. -- You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To unsubscribe from this group and stop receiving emails from it, send an email to pylons-discuss+unsubscr...@googlegroups.com. To post to this group, send email to pylons-discuss@googlegroups.com. Visit this group at http://groups.google.com/group/pylons-discuss. For more options, visit https://groups.google.com/d/optout.
