Hacker News
new
|
past
|
comments
|
ask
|
show
|
jobs
|
submit
login
sunir
on Feb 8, 2014
|
parent
|
context
|
favorite
| on:
ShowHN: dweet.io – Twitter for machines
And I can put that delete URI in an <img src=""> and have your browser or iPhone email automatically destroy your document before you can stop it.
jheising
on Feb 8, 2014
|
next
[–]
Yes and if I were a hacker, I could do the same thing with curl. Either way the only person who's likely to do it is someone who is technically savvy.
bluefinity
on Feb 8, 2014
|
prev
[–]
You can do the same thing with POST by submitting a form with JS. The correct way to protect against this sort of thing is to use a CSRF token.
oneeyedpigeon
on Feb 8, 2014
|
parent
[–]
Submitting a form with JS is a whole other level of complexity than just having a link out there in the wild that performs write operations. And using a CSRF defeats that stated intent.
Guidelines
|
FAQ
|
Lists
|
API
|
Security
|
Legal
|
Apply to YC
|
Contact
Search:
