Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

SameSite cookies can eliminate threats from cross domain requests. The strict mode is good enough to even block cross domain regular GET requests too.

However, I wouldn't throw other anti-CSRF measures away because if the attacker can use a stored XSS vuln, they can still make their way to a CSRF as well. Besides that, not all browsers support SameSite flag yet.



Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: