Skip to content
Better HN
Top
Best
Ask
Show
New
Jobs
Search
⌘K
0 points
kenniskrag
5y ago
0 comments
Save
Share
Already exists. Custom HTTP Header with a JWT token for example. Also in the body of a post request can be the auth data. In the URL would also be possible but is a security risk due to e.g. browser history.
0 comments
3 comments · 2 top-level
top
newest
oldest
tester34
5y ago
· 1 in thread
You have to attach that "JWT token" (heh) with e.g JS which makes it vulnerable to XSS, doesn't it?
kenniskrag
OP
5y ago
With xss you can also inject the code. So no cookie extraction needed imho.
kenniskrag
OP
5y ago
advertisment still works, because the site can just execute a js and make a post request to the advertisment company.
1 more reply
j
/
k
navigate · click thread line to collapse
