What is Cross Site Request Forgery?
I keep on seeing XMLHTTPRequest cited as a means of performing CSRF (it's in this FAQ), but I can't find anything to suggest this is possible without request smuggling / request splitting attacks.
Am I missing something?
No your right, XHR cannot make off-domain requests. Usually when XHR is mentioned in this context its for on-site Request Forgeries. Like for Web Worms for instance.
Post a Comment