On Thu, Apr 24, 2014 at 1:33 PM, Randall Leeds <[email protected]>wrote:
> On Apr 24, 2014 7:39 AM, "Anders Wegge" <[email protected]> wrote: > > > > In the classic meaning of CSRF, you are right. But if javascript from a > malicious site can get access to all cookies in the browser, it would be > trivially simple to construct a XmlHttpRequest, that contain the correct > CSRF token. While most browsers are sandboxing data, I do not want to rely > on that. > At that point the browser is totally broken. I would think hard about > whether this is really in your threat model. > That's what I was thinking. If that's broken in browsers then pretty much the whole www is broken. At a certain point you have to trust something to work. Chris -- You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/pylons-discuss. For more options, visit https://groups.google.com/d/optout.
