Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I wouldn't call it a mistake. If you had asked me before this afternoon whether trusting X-Requested-With would protect against CSRF, I would have said yes. I still have no idea how you can send arbitrary cross-domain requests in Java and Flash: the fact that you can do so is a security vulnerability in and of itself.

That being said, I'm going to let them know to fix that code. ;)



Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: