I thought that an attacker's JS code can't read the response from a GET request ... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		bdupharm on April 16, 2016 \| parent \| context \| favorite \| on: Preventing CSRF with the same-site cookie attribut... I thought that an attacker's JS code can't read the response from a GET request in a CSRF attack. Or are you saying it's possible for the attacker to read the HTTP status code of the response?

airza on April 17, 2016 [–]

I think you're correct here. Also, like POST-based CSRF, get-based CSRF is also a solved problem (issue a param in the URL)

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact