But yes, the form[method=POST] would trigger a navigation away from http://evil.com , unless you add _target to form, but that doesn't change the fact that cookies are sent along with the request, right?
Ahh.. you're not saying they're not exploitable anymore, you're saying that if a CSRF requires a navigation, then it's not a CSRF??? OK, well, I wasn't expecting that answer. I'm just trying to understand if it is safer, my intuition says it's a no-op.
-
-
If it's a no-op, you or a coworker should change this document: https://www.chromestatus.com/feature/5088147346030592 …
-
Sure, that does seems like it could use some clarification too!
- 6 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.