[Catalyst] Re: REST - like uri design for CRUD
Aristotle Pagaltzis
pagaltzis at gmx.de
Wed Jan 23 03:22:10 GMT 2008
* Peter Karman <peter at peknet.com> [2008-01-23 03:50]:
> In my apps, I do server-side auth checks to verify that users
> can't act on data they should not have access to.
Peter, meet XSRF. XSRF, meet Peter.
:-)
My point with `<img src="/foo/delete">` was that an attacker
tries to get an authenticated and authorised user to visit a
page which contains that tag.
Or maybe an authenticated and authorised user has software like
the Google Web Accelerator installed.
Regards,
--
Aristotle Pagaltzis // <http://plasmasturm.org/>
More information about the Catalyst
mailing list