On a second thought I think I missread what you wrote and you ment all of this within the scope of one domain and not from the perspective of an attacker.
On Monday, May 4, 2015 at 1:58:19 PM UTC+2, Florian Apolloner wrote: > > On Monday, April 20, 2015 at 6:38:55 AM UTC+2, Gavin Wahl wrote: >> >> > Though it could still ajax-in the token from a page that does have it, >>> right? >>> >> >> Exactly right. >> > > How so? You cannot just ajax-fetch stuff from different domains. The usual > security policies will forbid that. If you already injected javascript onto > the victims page (XSS) there is no need to fetch the CSRF token, you > already got greater control. If you still think you have a valid attack > vector there, please send it to [email protected] and add a bit > more explanation. > > Thanks & cheers, > Florian > -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/27dc72ca-69a3-44e8-9d4f-e324dbaa7489%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
