A recommendation for being able to include a csrf prevention token in ajax calls is to include them as a meta tag in your page, which can then be accessed and included in the header. http://ift.tt/1puC43S
How is this not exploitable? For example if example.com included the csrf token in a meta tag, could I not just create a malicious site that has some javascript that will make a call to example.com, and then parse the response, find the meta tag, and then inject the token value into my malicious page form?
Aucun commentaire:
Enregistrer un commentaire