X-Frame-Options only prevents the page from being displayed in a frame. It doesn... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		eurleif on March 31, 2012 \| parent \| context \| favorite \| on: #1 CSRF Is A Vulnerability In All Browsers X-Frame-Options only prevents the page from being displayed in a frame. It doesn't prevent a page on another domain from submitting a POST request.

tedivm on April 10, 2012 [–]

CSRF is solved very simply by using tokens for each field. If the attacking site can't load the other page, it can't pull the token out, and without the token the post gets discarded. If you've abstracted your form generation this should be super simple to add.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact