232e2fb474
When an attacker uses a <form> to downvote a comment, the browser *should* add a `Content-Type: ...` header with three possible values: * application/x-www-form-urlencoded * multipart/form-data * text/plain If the header is not sent or requests `application/json`, the request is not forged (XHR is restricted by CORS separately). |
||
---|---|---|
.. | ||
fixtures.py | ||
test_comments.py | ||
test_cors.py | ||
test_guard.py | ||
test_vote.py |