Wouldn't a malicious site be able to read the cookie using xss cookie stealing and put it in the header of an ajax request?
Asked
Active
Viewed 369 times
1 Answers
0
Of course, if the site is vulnerable to xss, it's also vulnerable to csrf, but that's the smaller issue then.
If there is no xss though, the attacker has no way to read the token due to the same origin policy.
Gabor Lengyel
- 14,129
- 4
- 32
- 59