@simonwillison.net on Bluesky

JavaScript RequiredThis is a heavily interactive web application, and JavaScript is required. Simple HTML interfaces are possible, but that is not what this is. Learn more about Bluesky at bsky.social and atproto.com.

Post

Simon Willison

simonwillison.net

did:plc:kft6lu4trxowqmter2b6vg6z

Forging doesn't matter, because CSRF is about protection from confuse deputy attacks where a real user's real browser is tricked into performing actions on their behalf The fact that someone with curl can send any headers they like doesn't affect that, they still need to get an authentication token

2025-10-15T12:11:05.529Z