Also from a third party website, one can request a page that has a form, parse that page and get the authenticity_token, then construct a post request with this authenticity_token.
Regards, Pankaj On Sep 19, 2:43 am, Courtenay <[EMAIL PROTECTED]> wrote: > Yes, but it prevents a third-party site from doing something like this > (yes, a variation on this really happened) > > <form action="http://twitter.com/statuses/"; method="post" id="hax"> > <input type="hidden" name="status[text]" value="OMG hax!!" /> > </form> > <script>$('hax').submit();</script> > > On Thu, Sep 18, 2008 at 1:08 PM, pankaj <[EMAIL PROTECTED]> wrote: > > > To prevent XSS attack rails generates an authenticity_token for every > > form. > > This token has to be present in with every request other then 'ge't. > > I have noticed that this token is same accross the application..i > > think for a particular session.. > > This token can be extracted by javascript and a new create/update/ > > delete request can be successfully executed. > > Then authentication_token is of no use. > > Correct me if I am wrong? > > > Regards, > > Pankaj --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en -~----------~----~----~----~------~----~------~--~---
