Add custom title to post without ajax

AFAIK it is not possible to set the title field on form submission, it can only be done in ajax requests

These questions also indicate that this is not possible:

But after reading the Cross-Site Protective Case (CSRF) , he noted that:

Encrypted token template


The encrypted token template uses encryption, not comparison, a token validation method. After successful authentication, the server generates a unique token consisting of user ID, timestamp value and nonce using a unique key only on the server. This token is returned to the client and embedded in a hidden field. Subsequent AJAX requests include this token in the request-header, similar to the Double-Submit pattern. Non-AJAX form based requests implicitly store the token in its hidden field, although I recommend storing that data in a custom HTTP header in such cases . Upon receiving this request, the server reads and decrypts the token value with the same key used to create the token.

This sentence confuses me:

I recommend storing this data in a custom HTTP header in such cases

Can anyone shed some light on it?


source to share

1 answer

Yes, the sentence implies that the POST operation is called by a custom JavaScript handler to inject the AUTH header. I revised the OWASP description to reflect this control.



All Articles