tag:blogger.com,1999:blog-13756280.post1002672280174156188..comments2024-02-08T03:44:23.780-08:00Comments on Jeremiah Grossman: Cross-Site Request Forgery (CSRF/XSRF) FAQJeremiah Grossmanhttp://www.blogger.com/profile/05017778127841311186noreply@blogger.comBlogger2125tag:blogger.com,1999:blog-13756280.post-73746755071924976142007-01-18T13:21:00.000-08:002007-01-18T13:21:00.000-08:00No your right, XHR cannot make off-domain requests...No your right, XHR cannot make off-domain requests. Usually when XHR is mentioned in this context its for on-site Request Forgeries. Like for Web Worms for instance.Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-36187743264030665072007-01-18T12:51:00.000-08:002007-01-18T12:51:00.000-08:00I keep on seeing XMLHTTPRequest cited as a means o...I keep on seeing XMLHTTPRequest cited as a means of performing CSRF (it's in this FAQ), but I can't find anything to suggest this is possible without request smuggling / request splitting attacks.<br /><br />Am I missing something?Anonymousnoreply@blogger.com