Javier's Blog

Mostly computers and other tech stuff,...

Saturday, July 25, 2009

The same-origin policy was designed to prevent an attacker from accessing data on a third-party site. This policy does not prevent requests from being
sent, it only prevents an attack from reading the data returned from the third-party server. Since CSRF attacks are the result of the requests sent, the same-origin policy does not protect against CSRF attacks.

Great paper on Cross-Site Request Forgery: http://citp.princeton.edu/csrf