CSRF protection question

About

Asked 17/7, 2011 at 14:6 Answered 17/7, 2011 at 14:9

Solved php security csrf csrf-protection

I'm currently in the process of implementing CSRF protection into my framework (PHP).

However I am wondering:

Wouldn't it be possible for an attacker to load my page in a (hidden) iframe (obtaining the token) and change some data using JavaScript?

And after that submitting the form?

Tacita answered 17/7, 2011 at 14:6 Comment(0)

Unless the attacker's page has the same domain, protocol and port as yours (if it is, you probably have more serious problems), they won't be able to read the iframe's HTML because of Same Origin Policy.

Aceves answered 17/7, 2011 at 14:9 Comment(2)

Ok kewl. I thought the Same Origin Policy only meant we couldn't do requests. – Tacita 17/7, 2011 at 14:10

@PeeHaa: It depends on the context. With an iframe, it means unless the domain, port and protocol match, you can not access the iframe's DOM. – Aceves 17/7, 2011 at 14:11

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags