Here, usually a "double-submit token" is used to prevent attackers from cross-site request forgery.
If I sent you a link to my website, which you open, your browser could be convinced of sending a password change request. I would fetch() the same API you here:
... but with cors: no-cors added or credentials: 'include' or something along the line. When your browser visits my malicious site, it POSTs a password change on the victim site, with credentials (cookies). Cross-requesta are "write-only", hence the idea of double submit: the code should send something non-predictable along with the request data (but sent along with the site contents, e.g. cookie)
https://github.com/tatliHU/memewebsite/blob/5e8bd77edaf86cae8afa502ba68ef42b843d85ea/templates/change_password.html#L31
Here, usually a "double-submit token" is used to prevent attackers from cross-site request forgery.
If I sent you a link to my website, which you open, your browser could be convinced of sending a password change request. I would
fetch()
the same API you here:https://github.com/tatliHU/memewebsite/blob/5e8bd77edaf86cae8afa502ba68ef42b843d85ea/templates/change_password.html#L31
... but with
cors: no-cors
added orcredentials: 'include'
or something along the line. When your browser visits my malicious site, it POSTs a password change on the victim site, with credentials (cookies). Cross-requesta are "write-only", hence the idea of double submit: the code should send something non-predictable along with the request data (but sent along with the site contents, e.g. cookie)Read on here: https://portswigger.net/web-security/csrf They also have a free (registration required) lab where you can check out the attack itself.
(Note: because this site is not yet visited widely, I see no problem in posting this issue publicly)