Skip to content
Better HN
Top
New
Best
Ask
Show
Jobs
Search
⌘K
undefined | Better HN
0 points
sunir
12y ago
0 comments
Share
And I can put that delete URI in an <img src=""> and have your browser or iPhone email automatically destroy your document before you can stop it.
0 comments
default
newest
oldest
jheising
12y ago
Yes and if I were a hacker, I could do the same thing with curl. Either way the only person who's likely to do it is someone who is technically savvy.
bluefinity
12y ago
You can do the same thing with POST by submitting a form with JS. The correct way to protect against this sort of thing is to use a CSRF token.
oneeyedpigeon
12y ago
Submitting a form with JS is a whole other level of complexity than just having a link out there in the wild that performs write operations. And using a CSRF defeats that stated intent.
j
/
k
navigate · click thread line to collapse
