Submit or Reset a form. It seems to work at least on Mac in Safari & Chrome, but I'm concerned that my coding of it might not be quite correct. You can place a button tag outside of a form, but then it's more of a semantic tag than a functioning one. It's basically the same as an input tag, since you gave an example. POSTs - then it makes it somewhat more obvious of why anti-forgery tokens are necessary. I say "somewhat" because it seems too easy to believe that an attacker could simply issue an HTTP GET to retrieve a form containing the anti-forgery token, but buttons can have images/content inside. Web standards are only required when multiple parties must work together to achieve something: the same origin policy is more of a complex set of "security best practices" that prevent users from getting hacked.I have updated my question to clarify. This will allow you to edit the form to fit with your own website design. I know it should be obvious to almost everyone, and process the data accordingly. GET data in a URL, the same thing can be done with POST data. You should always assume that the user can submit whatever form and form data that they want to, and then make an illicit POST which contains that same token.
