I am researching XSRF and there is one thing I don't really understand.

Is HTTP FORM post allowed across domains? I realized that I can submit an HTTP POST form anywhere I want. The browser is not blocking it. In the case of AJAX I get access denied though.

So does this mean, by using an auto-submit form an attacker can forge a POST request to any domain?

Will this be blocked on the server side?

Pretty cool stuff anyways.



Edited 1 time(s). Last edit at 01/28/2007 07:01PM by oneflewup.

It's not blocked in any way unless explicitly coded in the application that processes the submitted data.

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

Like WhiteAcid said; it can be blocked, but most often it isn't. do a search for CSRF and CSRF protections and you'll see what issues this can cause and how people combat it.

Oh, and you can even have the form point to your domain, but have the user get redirected (with Post content intact) to another domain: http://ilia.ws/archives/152-Cross-Domain-POST-Redirection.html