Could a CSRF attack have any direct way of accessing or manipulating its target site's javascript variables?

views:

answers:

Could a CSRF attack have any direct way of accessing or manipulating its target site's javascript variables?

Does it open any attack vector if an ajax-driven site uses a unique token stored as a javascript variable and verifies it with every request to prevent CSRF -- provided that the site is free from XSS holes?

+1 A:

It doesn't open it up to attack. If the site is free from XSS holes, there is no way another page could get the token from a javascript variable.

Maz 2010-07-23 14:54:31

related questions

What JavaScript patterns do you use most?

Javascript events

What style do you use for creating an "class" in JavaScript?

Graphing JavaScript Library

What's the difference in closure style

Getting the text from a drop-down box

How to specify javascript to run when ModalPopupExtender is shown

Length of Javascript Associative Array

How Do I Post and then redirect to an external URL from ASP.Net?

How to set up a CSS switcher in ASP.NET

Wrapping lists into columns

Javascript keyboard events primer? (or rather: help me with my custom dropdown)

Http Auth in a Firefox 3 bookmarklet

Best Debugging Tools for JavaScript/xulrunner Development

How can I turn a string of HTML into a DOM object in a Firefox extension?

Call ASP.NET Function From Javascript?

Javascript troubleshooting tools in IE

MAC addresses in JavaScript

Capturing TAB key in text box

CSS Background Color in Javascript

How can I make the browser see CSS and Javascript changes?

Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?

ASP .Net Custom Client-Side Validation

What JavaScript library would you choose for a new project and why?

Detecting font in JavaScript

ansaurus

tags:

views:

answers:

Could a CSRF attack have any direct way of accessing or manipulating its target site's javascript variables?

related questions