Hacker News new | past | comments | ask | show | jobs | submit | mrfu's comments login

* These are submitted with a form (over POST, hopefully) *

I don't think that the author implies that using POST prevents CSRFs but the article seems to imply it. In case anyone thinks it is the case: using POST won't prevent a CSRF.

Cross Site Request Forgeries occur when a user opens an "evil" page on site B, while being logged on site A. If site A solely relies on cookies in order to identify logged users, there is a risk of CSRF. The attack exploits the fact that the user's browser will always send the auth cookies when issuing a request to siteA. If the evil page on siteB embeds an image (or script, or any resource that can be loaded using an URL) whose source is an URL on siteA, the browser will request the resource on siteA with the auth cookie coming along.

In order to issue a POST request to siteA from the evil page, the attacker only has to submit a crafted POST form using an iframe.


> In order to issue a POST request to siteA from the evil page, the attacker only has to submit a crafted POST form using an iframe.

Yes, but requiring POST for anything that changes anything (especially bank transfers) is a best practice anyway, for how all actors involved understand HTTP verbs, and reduces the surface area of attack.

You can create a POST with an iframe, but you can create a GET with an image tag: `<img src="http://mybank.com/transfer?...>`


I updated the post to point this out.


It is not clear whether it reduces the heap size, or the overall footprint of the java process.

By the way, if anyone knows of a method to reduce the RSS size of the java process, I'd be more than grateful to hear about it.


Heap size should be roughly equivalent to the overall footprint unless you're allocating a lot of native memory or mmapped files from the java process. If you are, well, that's your answer.


As a programmer, I have been hugely influenced by mathematics. I don't say it in the sense that I use math heavy concepts when programming, but the practice and experience I gained through mathematics have improved my programming style (more rigorous approach) as well as my understanding of algorithms.


"At Priceonomics, we firmly believe that resale value is the best objective indicator of product quality."

I may have missed something, but given that prices are supposed to reflect the supply vs demand ratio (in a sane market), how can they end up "firmly" believing that resale value is an objective indicator for quality ?


Because they like Apple and have some "data" that shows Apple is better. The only missing piece is how that data makes Apple better, and that's what this statement is for.


For the same reason that having only one car available won't make people pay exorbitant sums of money for it. People pay what they perceive the item is worth, typically based on quality. Sure, some people will always buy the cheapest car (or phone), but most people want a phone that will last. They'll pay a little more for a car/phone that will last longer.


There are two problems.

1: disabling cookies bypasses security checks

2: a GET request is not side-effect free

The root cause is the combination of both issues.


Riddle me this: what value does the power series Σn=0∞xn/n! have, in terms of x? Of course, the answer is ex

From my (fuzzy) math memories, I thought that:

exp(x)= 1 + (x^1/1!) + (x^2/2!) + ... + (x^n/n!) + o(x^n) _near_ x=0


More like a less gloomy http://en.wikipedia.org/wiki/Serial_Experiments_Lain


without the musical aesthetic or the barest sliver of sanity that SEL had.

and 100% more creepy near-upskirt camera angles.


How about corruption and lack of political stability ?


Not all of Africa is corrupt and politically unstable. It's a pretty big place.


I totally agree that each country is different (I am half-african and I've lived in a west african country for more than 15 years). The issue is way more complex than it appears. But as far as my experience can tell, corruption makes every single effort required to build something a real pain.


I "vote" with my money too. I wonder if there is an opportunity for an app that would easily enable a consumer to check whether the company (s)he is willing to buy from is in line with its ethics.


I had an idea for a startup along this line (I call it the ethical investor) and my idea was to create a trader platform that profiled your ethical makeup and made stock recommendations based on your ethical profile.


This would be huge for people that have strong beliefs - especially religious beliefs. I think I read of an index fund that tracks compliant companies for a religious group. I think it could have been for Jewish or Muslim people - it's an awesome idea.


yeah I have been working on it, I think it is a great niche product. I like the name "continuous investor" but I can't think of a play off of that, that would make a reasonable domain name.


For further information http://insecure.org/stf/smashstack.html is an interesting read.


Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: