"Oh why hello, thanks for calling, no, sorry, I do not own a TV, computer or tablet - I often spend time at my friends home and uses his computer and TV."
This is how people avoid it in Sweden. However, the stores are obliged to report in when you purchase a TV, but all of these things can be avoided by simple lies ("I gave the TV to my friend for his birthday"), and many do so.
Try clicking both right and left touchpad-button on your laptop. At most (all?) laptops it will open the link just as if you had middle-mouse-clicked it.
That works in X, but I've never seen that work in Windows. And when I have used it, the timing was only about 9/10; the other times I get a left-right click combo, or a right-middle combo, or something else equally disastrous considering how the X clipboard works.
So do I. I just tried it. I get a left and a right click. So the menu shows up for a little while, then it follows the link anyway. Wherever the Emulate3Buttons setting is in Windows, it's not on for me. I open new tabs by right clicking then left clicking for a reason, and it's not because I don't know about the dozen other ways to open a tab.
I'm surprised nobody's suggested "hit tab until the link is highlighted, then hit the menu key" yet. There's another great workaround.
Hi, why not? If the attacker can't get any information without sending a token with the request, what's there to worry about? I'm not very good with js so I might have misunderstood something. Thanks!
The Django "{% csrftoken %}" that you put into forms (and similar things in other frameworks), is used when posting form responses. It turns into a hidden form field (<input type=hidden>). This helps protects against someone creating a form on their own malicious site, that posts some data to yours.
This attack mentioned in the OP is effectively completely different. It is off a GET request.
Imagine you were running a social network site, and you had an API (authenticated via HTTP sesions) that was a GET request go get the firends list. This method returned the (logged-in) users list of friends in a JS array.
Note that Django-style CSRF tokens are not relevant here, as they are only for protecting POSTs.
The attack described in the post is using a script tag, and a redefined array setter, to direct a user with a live logged-in session on your site to it to fetch data.
So coming back to my example. I am a malicious hacker, and I can socially engineer an end-user to come to my site. I put a script src=yoursocialnetwork.com/get_friend_list. This will fetch the data, and I will be able to extract that info in my javascript, and then post that back to my site so I can capture that info.
Thanks a lot for the excellent explanation. I tend to do my Ajax requests with post just to get the token in. Is there a reason not doing so, like savings in bandwidth or something like that? Might that be a gain Facebook is trying to achieve?
Yours is a good solution, and effectively blocks the attack mentioned in this article. From a REST purity standpoint, it's "unclean" to require all API calls to be POSTS, but, hey, life is short.
I believe that he's right that just putting it in a hidden form field would be useless for this sort of attack. However, I believe rails and django actually include the CSRF token in headers for ALL ajax requests, not just form submits.
This is how people avoid it in Sweden. However, the stores are obliged to report in when you purchase a TV, but all of these things can be avoided by simple lies ("I gave the TV to my friend for his birthday"), and many do so.