> That can't happen: javascript can't read cookies from domains it
> wasn't served from.
>
> Fred
the javascript would be served from the same website...
consider a forum...u enter some javascript in comments.....when
another user opens the forum thread, the javascript u entered would be
executed...that is the way i suppose how CSRF works...correct me if
i'm wrong..
.
The javascript may not send the cookie to the 3rd party website(where
the cookie would be rebuilt etc etc..)...it may itself construct some
post request(eg to transfer money from the users account to the
hackers account)
Regards,
Pankaj
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "Ruby
on Rails: Core" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/rubyonrails-core?hl=en
-~----------~----~----~----~------~----~------~--~---
