Comment by simonw

13 years ago

But if the user IS signed in (and if someone arrives at your site from a link on Hacker News there's a very good chance they will be signed in) a POST forged from your site can affect their session. Read up on CSRF - it's a very different vulnerability from XSS (though having an XSS vulnerability will make any CSRF protection you have in place null and void).

http://en.wikipedia.org/wiki/CSRF

1 comment

simonw

Reply
Udo  13 years ago

Don't be so condescending, you didn't read my entire post. To quote myself:

  > POST (and restricting to same-origin)

I still don't think it's possible to forge the referer header on an uncompromised browser.