CSRF Prevention When Using CORS?

Question

CSRF Prevention When Using CORS?

I am doing a bookmarklet so that the user can cross-talk a domain message with my server using CORS from any page. The user must authenticate before publishing and using cookies. Is there a way to prevent a malicious website from entering javascript code on my web page to cross-domain a message on my server using user credentials?

+5

security cors csrf

coolsuntraveler Aug 14 '12 at 6:49

source share

1 answer

user2428118 · Answer 1 · 2012-10-02T11:20:44+0000

In theory, there may be a solution for this.

Insert a unique CSRF token into each custom bookmarklet.
Wrap the code in a bookmark in an anonymous function so that the page does not have access to it.
- . , , .
XMLHttpRequest :
- :
  - CSRF
  - .
  - ( , )
:
- , ( , )
, .

: - , (, Array()), - - , / , userID CSRF.

CSRF Prevention When Using CORS?

More articles: