Hi Kinn, On Wed, May 11, 2016 at 10:20 AM, Kinn Julião <kin...@gmail.com> wrote: >> JS code that does not have pages at all may obtain CSRF token manually. > > That's against CSRF protection... in fact, a remote app can obtain the token > also and make the cross site request forgery... > > -1
You seem to __misunderstood__ behavior. Random CSRF token generation key is stored in session data which is private to users. CSRF token is generated by using the secret key. Therefore, attacker cannot get CSRF token unless they have stolen session already (which is not scope of this RFC) Regards, -- Yasuo Ohgaki yohg...@ohgaki.net -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
