top | item 46381875

(no title)

nhumrich | 2 months ago

This is "not allowing cross site at all" so, technically it's not "request forgery" protection. Yes, this is very semantic, but, CSRF is a vulnerability introduced by enabling CS and CORS. So, technically, same-site cookies are not "protection" against CSRF.

discuss

hn_throwaway_99|2 months ago

I don't understand your distinction at all. I may not quite grok your meaning here, but CORS is usually discussed in the context of allowing cross-origin AJAX calls.

But cross origin form posts are and have always been permitted, and are the main route by which CSRF vulnerabilities arise. Nothing on the client or server needs to be enabled to allow these form posts.

Furthermore, the approach detailed in the article simply has the server block requests if they are cross site/origin requests, so I'm not sure what the semantic difference is.

true_religion|2 months ago

Yeah, CORS is not a safety mechanism. It’s a procedure of loosening the default safety mechanism of not sharing any response data from a cross site request with client side JavaScript.

nchmy|2 months ago

Cs and cors have nothing to do with csrf... Though, yes, neither does same-site

nchmy|2 months ago

I don't know why I said same-site cookies have nothing to do with csrf. They can be helpful as defense in depth, but not primary defense.