Closed alanhamlett closed 11 years ago
Keep csrf_token cookie for AJAX requests, but use the token from Flask's signed session cookie when validating the token.
This prevents a situation where somehow the user's csrf_token cookie was set by an attacker using Javascript.
:+1:
maxcountryman
commented
11 years ago maxcountryman
commented
11 years ago
Keep csrf_token cookie for AJAX requests, but use the token from Flask's signed session cookie when validating the token.
This prevents a situation where somehow the user's csrf_token cookie was set by an attacker using Javascript.