Right, the same-origin policy, thanks. Just found it after a minute of jsfiddlin... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		huhtenberg on March 30, 2012 \| parent \| context \| favorite \| on: #1 CSRF Is A Vulnerability In All Browsers Right, the same-origin policy, thanks. Just found it after a minute of jsfiddling. Now, let's say my script is not loading bank's page into an iframe, but rather fetches it with an ajax call. Wouldn't that page (again) include a valid CSRF token? Or is this mitigated by checking a referrer on the bank's side?

nbpoole on March 30, 2012 [–]

You can make but CAN NOT view the result of a cross-domain request via XMLHttpRequest unless the site specifically opts in to it. Same-origin policy again.

Consider applying for YC's Winter 2026 batch! Applications are open till Nov 10
Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact