So "formdigest"/"requestdigest" in SharePoint is basically a security token used to tell SharePoint that the POST request that has come to the server is from a authenticated,legitimate user. Documentation and blogs suggest that this is used as a security measure from Cross-site scripting attacks.
As far as I understand, in cross site scripting a malicious script is injected into the page. So the question is, once the script is injected into the page, cant this script use requestdigest same as any other "legitimate" script in the page does and do post operations to SharePoint ? How does sharepoint stop such attacks ?
Or is it that SharePoint provides security against the script injection to the page in first place ? This is a bit confusing to me.
0 commentaires:
Enregistrer un commentaire