wasn't served from.
No, it wouldn't. It would be served from the forum website.
executed...that is the way i suppose how CSRF works...correct me if
If the script can transfer the cookie, it can also transfer the
So now the 3rd party application has both cookie and the token :).
If it doesnot provide complete solution, everyone should know about
it...so that they donot assume that it is.
Define a complete solution. Oh, right, there is no such thing.
I'm sure no one has said that authenticity_token would be a complete solution to web app security and I have a hard time thinking many people would ever assume that.
Like I (and Manfred) said before, it is hard to build shields against even specific threats on the framework level. CSRF is probably one of the few low-hanging fruits. A general solution for all threats is just a pipedream. But if you find a generic solution against specific cases you encounter that would be easy to implement, go ahead and send a patch.