Ahh makes sense. The docs are a little confusing. I forgot that you can do action=tokens
without CSRF protection.
On May 16, 2012, at 7:46 PM, Roan Kattouw wrote:
On Wed, May 16, 2012 at 7:32 PM, Terry Chay
Not if you can read the data using the Object/Array constructor hacks
you described. The potential for data leakage includes token leakage,
and once you get the API to leak a token you can create a hidden form
on the page that POSTs all the right data (including the token) to the
action=edit API and call .submit() on the form.
Wikitech-l mailing list