[Tutor] How to use custom protocol with requests?
Danny Yoo
dyoo at hashcollision.org
Sun Oct 12 05:17:28 CEST 2014
On Sat, Oct 11, 2014 at 7:58 PM, Juan Christian
<juan0christian at gmail.com> wrote:
> Sorry for triple post, but yes, webbrowser worked 100%. Exactly what I
> needed!
Huh. Wow. That actually worked?
:P
---
Frankly speaking though, this sounds like a horrible XSRF-style attack
in waiting, if I understand what has just happened.
(http://en.wikipedia.org/wiki/Cross-site_request_forgery)
Usually, requests to do mutation operations are protected so that, in
order to make the request, you have to have some knowledge in the
request that's specific to the user, and not public knowledge. The
URL you've described is missing this basic information, an "XSRF
token" as its commonly known (though I would have assumed it would be
called an "anti-XSRF" token, but oh well.)
I'm not sure how your web browser is handling the 'steam://' URL
class, but I would very much hope that, in the interface between the
browser and your Steam client, it's doing something to mitigate what
looks like an XSRF exploit.
More information about the Tutor
mailing list