But if the user IS signed in (and if someone arrives at your site from a link on... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		simonw on March 23, 2012 \| parent \| context \| favorite \| on: Show HN: This up votes itself But if the user IS signed in (and if someone arrives at your site from a link on Hacker News there's a very good chance they will be signed in) a POST forged from your site can affect their session. Read up on CSRF - it's a very different vulnerability from XSS (though having an XSS vulnerability will make any CSRF protection you have in place null and void). http://en.wikipedia.org/wiki/CSRF

Udo on March 23, 2012 [–]

Don't be so condescending, you didn't read my entire post. To quote myself:

  > POST (and restricting to same-origin)

I still don't think it's possible to forge the referer header on an uncompromised browser.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact