6c06b69dc5
When an attacker uses a <form> to downvote a comment, the browser
*should* add a `Content-Type: ...` header with three possible values:
* application/x-www-form-urlencoded
* multipart/form-data
* text/plain
If the header is not sent or requests `application/json`, the
request is not forged (XHR is restricted by CORS separately).
|
||
|---|---|---|
| .. | ||
| fixtures.py | ||
| test_comments.py | ||
| test_cors.py | ||
| test_guard.py | ||
| test_vote.py | ||