Comment by Udo
13 years ago
In this specific case merely forging a POST request externally does nothing as the user has to be signed in for this to work. Thus, restricting actions such as voting to POST (and restricting to same-origin) does constitute adequate protection if there is no XSS vulnerability on the site.
But if the user IS signed in (and if someone arrives at your site from a link on Hacker News there's a very good chance they will be signed in) a POST forged from your site can affect their session. Read up on CSRF - it's a very different vulnerability from XSS (though having an XSS vulnerability will make any CSRF protection you have in place null and void).
http://en.wikipedia.org/wiki/CSRF
Don't be so condescending, you didn't read my entire post. To quote myself:
I still don't think it's possible to forge the referer header on an uncompromised browser.
Would restricting to same-origin break http://hackerne.ws?