From 51f272ae9720c3937c9efd302d012fc3ee23841d Mon Sep 17 00:00:00 2001
From: Wojciech Krzystek <vucalur.work+git@gmail.com>
Date: Sat, 30 Jan 2016 20:10:37 +0100
Subject: [PATCH] docs($http): reword of XSRF attack overview

Previous version emphasised "gaining user's private data".
While this perfectly describes JSON vulnerability (which is based on XSRF),
data theft suits XSS more.
Pure XSRF is more about performing requests that have side effects.
---
 src/ng/http.js | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/ng/http.js b/src/ng/http.js
index 8fb3ae306467..8e5aa3c8d103 100644
--- a/src/ng/http.js
+++ b/src/ng/http.js
@@ -749,8 +749,9 @@ function $HttpProvider() {
      *
      * ### Cross Site Request Forgery (XSRF) Protection
      *
-     * [XSRF](http://en.wikipedia.org/wiki/Cross-site_request_forgery) is a technique by which
-     * an unauthorized site can gain your user's private data. Angular provides a mechanism
+     * [XSRF](http://en.wikipedia.org/wiki/Cross-site_request_forgery) is an attack technique by which
+     * a malicious site can issue requests to your server as if they were coming from JavaScript
+     * running on your domain. Angular provides a mechanism
      * to counter XSRF. When performing XHR requests, the $http service reads a token from a cookie
      * (by default, `XSRF-TOKEN`) and sets it as an HTTP header (`X-XSRF-TOKEN`). Since only
      * JavaScript that runs on your domain could read the cookie, your server can be assured that