20070124

Sylvan von Stuppe: Breaking out of Same-Domain Constraints - Something useful

Link

And now it occurs to me that if there's XSS on the site in question, the user doesn't have to send their token to the attacker site to get it reflected - they can just use XSRF or img or script tags on the same site, including the token.

0 comments: