Thread:Talk:Requests for comment/API Future/CORS and third-party web apps/reply (4)

Technically speaking, I think anonymous editing via action=edit already allows that kind of attack. *cough*