Hmm, It seems like the claim "solves cross-site request forgeries" is dangerously misleading. I get what you were trying to say John, but nobody can safely remove XSRF mitigations, so why even mention it..? It will just cause confusion, no?
I asked Mike about that document, they're saying that they can make form POSTs unauthenticated, that will make some CSRFs unexploitable, so that document does seem accurate. With Safari, the attack just requires modification, and it will always still be exploitable... right?
-
-
The default will protect against navigational requests?
-
Yes, my understanding is SameSite=Lax will make top-level form POSTs to a third party unauthenticated, which does seem like it will have some modest security benefit.
- 3 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.