Cross-Site Request Forgery (CSRF)
Cross-Site Request Forgery (CSRF) in jquery-ujs.
Cross-Site Request Forgery (CSRF) in jquery-ujs.
In the scenario where an attacker might be able to control the href attribute of an anchor tag or the action attribute of a form tag that will trigger a POST action, the attacker can set the nhref or action to " https://attacker.com" (note the leading space) that will be passed to JQuery, who will see this as a same origin request, and send the user's CSRF token to the …