(no title)
miguelgrinberg | 2 months ago
It is pretty clear to me that the maintainer is cautious and is seeking other expert opinions before accepting the proposed upgrade to full solution. This, to me, shows integrity and not the lack of it. I apologize if my choice of words somehow can be interpreted in any other way!
nchmy|2 months ago
Our confusion might be due to the fact that an erroneous PR (by seemingly an AI-wielding student...) was somehow recently accepted that completely reverted the changes we collectively worked on, which effectively made Fetch Metadata a full solution. So, it is back to showing as defense in depth. I've raised an issue about it, which wouldn't have happened if I didn't see your article!
Here's the previous language:
> If your software targets only modern browsers, you may rely on [Fetch Metadata headers](#fetch-metadata-headers) together with the fallback options described below to block cross-site state-changing requests
We then detailed some fallbacks (eg Origin header). Full text can be viewed in the original PR
https://github.com/OWASP/CheatSheetSeries/pull/1875
or
https://github.com/OWASP/CheatSheetSeries/blob/7fc3e6b8fde65...
If after reading that you still think that Fetch Metadata is not a viable full solution, I'd be curious to know why - the goal of that PR (and the preceding discussion that I instigated) was to upgrade it from Defense in Depth to Full (even if slightly less full than tokens, due to the possible need for some fallbacks).
miguelgrinberg|2 months ago
Confession, I did not read the PR. I assumed that what is currently published in the cheatsheet is the same as the PR. This is what guided my analysis.
I will update my article to be in agreement with reality, now that I understand it. Thanks!