Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

> it set a cookie that your browser presents when it makes any request to bank.com, regardless of how it was initiated

Right, this seems like a very bad idea and now everyone has to do CSRF because of it?

CORS doesn't prevent evil.com from sending a reqeust to bank.com, it only prevents reading the response, no?

So again, what stops evil.com from sending a request to say transfer 1 BBBBillion dollars to bank.com and including a CSRF token it gets from visiting bank.com?



> Right, this seems like a very bad idea and now everyone has to do CSRF because of it?

Yep, that pretty much sums it up.

CORS doesn't have to enter into it though: evil.com just has no way to read the CSRF token from bank.com, it's a one-time password that changes with every form (one hopes) and it's embedded in places that it can't access. It can send an arbitrary POST request, but no script originating from evil.com (or anywhere that is not bank.com) can get at the token it would need for that post to get past the CSRF prevention layer.


> it only prevents reading the response, no?

> So again, what stops evil.com from sending a request to say transfer 1 BBBBillion dollars to bank.com and including a CSRF token it gets from visiting bank.com?

It can't read the response from bank.com so it can't read the CSRF token. The token is basically proving the caller is allowed to read bank.com with the user's credentials. Which is only possible if the caller lives on bank.com or a origin that bank.com has allowed via CORS.


CSRF tokens are only valid for a particular user, or session, or sometimes even a particular page load.

If there's a way for evil.com to obtain a CSRF token that's valid for an arbitrary user, it's a vulnerability, just like if evil.com could obtain the user's session token, JWT, etc.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: