Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

CSRF protection question

Tags:

security

php

csrf

csrf-protection

I'm currently in the process of implementing CSRF protection into my framework (PHP).

However I am wondering:

Wouldn't it be possible for an attacker to load my page in a (hidden) iframe (obtaining the token) and change some data using JavaScript?

And after that submitting the form?

like image 865
PeeHaa Avatar asked Jul 17 '11 14:07

PeeHaa

1 Answers

Unless the attacker's page has the same domain, protocol and port as yours (if it is, you probably have more serious problems), they won't be able to read the iframe's HTML because of Same Origin Policy.

like image 116
alex Avatar answered Oct 01 '22 13:10

alex
Sign in to Comment

Related questions

Global constants in PHPUnit
PHP Communication with C++ Application
Linux lightweight PHP editor or IDE that supports xdebug
What's the best solution to check a users country?
Convert any title to url slug and back from url slug to title
Like posts over Facebook graph api
PHP Question: how to array_intersect_assoc() recursively
mac os php intratactive mode has no prompt
Offset 0 is invalid for MySQL result index 64 (or the query data is unbuffered)
php overload equals-operator
Securely provide a unique secret code to winner of flash game?
Which PHP ORM works best with Zend Framework?
PHPUnit - How to mock PDO prepared statement
Declaration to make PHP script completely Unicode-friendly
Is it okay to save lots of information in $_SESSION?
PHP autovivification
Adding an external server in Aptana Studio 3
Converting doc, docx, pdf to HTML using PHP linux
How to pass object context to an anonymous function?
How to find the first day of the week a given date belongs to? [duplicate]

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!