hi Skalpa.
Quote:
don't forget CSRF starts with the assumption that Javascript code can be inserted
It's quite natural.
XSS + CSRF combination attack is the most powerful one.
If the form has XSS, neither referer check nor ticket make any sense.
But there are many users "referer off" in the world.
Thus, I insist
- referer check off
- ticket check (with feature of repost) on
Of course, XSS/ScriptInsertion can't be allowed.
Anyway, this english topic is much shorter than my original topic in Japanese.
Though I know I have to translate whole of my opinion into English...