Some thoughts about a CSRF tokens and CRIME/BREACH/... alike attacks:
are you only talking about missing Origin in non-fetch GET requests, or did browsers also mess up the logic around redirects, or something like that?
-
-
I believe form post would also not carry origin? It was really messed up last I looked at it.
-
Chrome and Firefox at least seem to send it on same-origin form post...
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.