anti-csrf-plugin icon indicating copy to clipboard operation
anti-csrf-plugin copied to clipboard

Published 20 hours ago verified publisher icon avlidienbrunn

Double top domains (.co.uk) screws everything up

Open avlidienbrunn opened this issue 9 years ago • 1 comments

It'll think that the "main domain" is "co.uk" and thus allow anything to be CSRF'd there. Thanks @fransrosen for pointing this out.

avlidienbrunn avatar Aug 11 '15 05:08 avlidienbrunn

Solvable by testing it using document.domain=x as it won't allow you to traverse up to co.uk.

fransr avatar Nov 09 '15 19:11 fransr