I am trying to trigger the functionality "Turn cross-site POST requests into data-less GET requests" however I can't seem to make it trigger...
This code does not appear to be converted to a sanatized GET, although it could be because im running the code locally, dont have an external host to throw it up on at the moment.
<html>
<body>
<form name=TheForm action="http://www.example.com/" method='POST'>
<input type=hidden name='fields[]' value='badstuffyo' />
</form>
<script>
document.TheForm.submit();
</script>
</body>
</html>
This is what this option is supposed to block right? Or have I mis-understood...
Cheers,
VADiUM
Turn cross-site POST requests into data-less GET requests
Turn cross-site POST requests into data-less GET requests
Mozilla/5.0 (X11; Linux x86_64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
-
Giorgio Maone
- Site Admin
- Posts: 9524
- Joined: Wed Mar 18, 2009 11:22 pm
- Location: Palermo - Italy
- Contact:
Re: Turn cross-site POST requests into data-less GET request
This option applies (by default) to requests originating from non-whitelisted sites and landing on whitelisted ones.
If you want a more generic and flexible anti-CSRF tool, check ABE.
If you want a more generic and flexible anti-CSRF tool, check ABE.
Mozilla/5.0 (Windows NT 5.2; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1