Databases
StackOverflow2013
Postsdbo
PO
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PO
    text
    copied!<p><a href="https://stackoverflow.com/questions/10242263/what-is-csrf-protection-really-for-in-django?rq=1">This question</a> has a really good couple of answers about the same thing. Also, the last answer on there addresses the fact that it technically would be possible to scrape the form for the token (via javascript), and then submit a post request with it (via javascript). But that the victim would have to be logged in. </p> <p>The point of the CSRF protection is to specifically prevent tricking a random user. It has nothing to do with client-side exploits. You also have to consider that part of the protection includes denying cross-site origin requests. The request would have to come from the same origin as the target site.</p> <p>Bottom line, CSRF has value. Its a region of protection, but its not the end all be all. And you can't defend against everything.</p> <p>Quote from <a href="http://www.codinghorror.com/blog/2008/09/cross-site-request-forgeries-and-you.html" rel="nofollow noreferrer">a blog post about CSRF</a>:</p> <blockquote> <p><strong>Secret hidden form value.</strong> Send down a unique server form value with each form -- typically tied to the user session -- and validate that you get the same value back in the form post. The attacker can't simply scrape your remote form as the target user through JavaScript, thanks to same-domain request limits in the XmlHttpRequest function.</p> </blockquote> <p>... And comments of interest:</p> <blockquote> <p>I'm not a javascript wizard, but is it possible to load a remote page in a hidden iframe on the malicious page, parse it with javascript to find the hidden token and then populate the form the user is (presumably) about to submit with the right values?</p> <ul> <li>David Goodwin on September 24, 2008 2:35 AM</li> </ul> <p>@David Goodwin: No, the same-origin policy would prevent the malicious page from reading the contents of the iframe.</p> <ul> <li>Rico on September 24, 2008 3:03 AM</li> </ul> </blockquote>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload