That’s bad because visiting an evil site can easily trick your browser into perf... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		paulhodge 4 months ago \| parent \| context \| favorite \| on: Cross-Site Request Forgery That’s bad because visiting an evil site can easily trick your browser into performing one of those requests using your own credentials. CORS doesn’t stop the backend state effect from happening.

MajesticHobo2 4 months ago [–]

That's exactly why I don't agree that GETs should be broadly exempted from CSRF protections. I'm not talking about CORS at all.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact