[wp-hackers] Any other way to do it? (or,
do we really need Nonces?)
scott.yang at gmail.com
Fri Mar 2 20:11:53 GMT 2007
<iframe name="foo" style="display:none"></iframe>
<form name="bar" target="foo" method="post"
<input type="hidden" name="var1" value="value1"/>
<input type="hidden" name="var2" value="value2"/>
<input type="hidden" name="var3" value="value3"/>
1. You can certainly post to a form outside your domain.
2. You can hide the form as well.
4. POST is about as insecure as GET
On 3/3/07, Elliotte Harold <elharo at metalab.unc.edu> wrote:
> The difference is you don't need to convince me to click on a link. You
> can force my browser to follow a link in several ways without any human
> because it had been suggested that could be used to force a POST without
> human intervention. I'm not sure that's true but it's worth investigating.
More information about the wp-hackers