undefined | Better HN

0 pointsThorrez6y ago0 comments

How would it stop XSS? Is it meant to stop attackers from getting JS execution on your site, or to mitigate the attackers' abilities after they have JS execution? I don't see how it would do either.

0 comments

donatj6y ago

I mean both CSRF and XSS. If your inputs are named something different on everyone’s machine, per session, you can only XSS yourself. Not very useful, you can already do in many other ways.

Also my comment above is not an endorsement of the methodology, it’s just a thing that happened.

ThorrezOP6y ago

Why can you only XSS yourself? If an attacker has javascript execution on the website, the javascript can identify forms not just via their names, but by relation to other elements in the DOM tree. The javascript can for example do

document.querySelector("form > input");

That doesn't rely on names at all. Just like a human can use eyes to find the right input, the javascript can use the DOM tree to find the right input.

I understand that it provides CSRF protection. It's basically a CSRF token embedded in the name.

donatj6y ago

You misunderstand. Specifically on sites without cross-user visible content, the JavaScript needs to get into the system via an input, POST or GET. When every user input is named something different, you have no ability to send a link with a JavaScript payload.

1 more reply

justicz6y ago

Maybe they mean CSRF? Then things make more sense since you can’t guess the field names cross-origin.

j / k navigate · click thread line to collapse

0 comments

donatj6y ago

I mean both CSRF and XSS. If your inputs are named something different on everyone’s machine, per session, you can only XSS yourself. Not very useful, you can already do in many other ways.

Also my comment above is not an endorsement of the methodology, it’s just a thing that happened.

ThorrezOP6y ago

document.querySelector("form > input");

That doesn't rely on names at all. Just like a human can use eyes to find the right input, the javascript can use the DOM tree to find the right input.

I understand that it provides CSRF protection. It's basically a CSRF token embedded in the name.

donatj6y ago

1 more reply

justicz6y ago

Maybe they mean CSRF? Then things make more sense since you can’t guess the field names cross-origin.

j / k navigate · click thread line to collapse