Are you talking about a top frame navigation away from http://evil.com to http://bank.com or a subresource request to http://bank.com while still on http://evil.com as top frame website?
And you're saying that site is correct, there are cases where this makes a CSRF unexploitable? You might be right, but for my own education, do you have an example? My intuition is that you can always just add a navigation.
-
-
We've made clear that we mean the third-party case in the blog post. And frankly, shouldn't we celebrate what was achieved today? I mean in terms of safety and privacy on the web. It's a huge step forward.
-
Ahh.. you're not saying they're not exploitable anymore, you're saying that if a CSRF requires a navigation, then it's not a CSRF??? OK, well, I wasn't expecting that answer. I'm just trying to understand if it is safer, my intuition says it's a no-op.
- 8 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.