I think you misunderstand what CSRF protection does. It doesn't have anything to... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		daeken on March 23, 2012 \| parent \| context \| favorite \| on: Show HN: A Way To Hack HN's Karma I think you misunderstand what CSRF protection does. It doesn't have anything to do with same-origin security, but rather preventing request forgery attacks in general. If a CSRF token was present on requests and was tied to a user's session (as is standard), then that would absolutely defend against this attack.

marshray on March 23, 2012 [–]

Wonder if you could get around that by submitting a javascript: link.

daeken on March 23, 2012 | [–]

As far as I can tell, only http(s) links are accepted by the submission form.

Consider applying for YC's Summer 2026 batch! Applications are open till May 4
Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact