loading...

re: How to securely store JWT tokens. VIEW POST

TOP OF THREAD FULL DISCUSSION
re: That is not true. With javascript you can just create a tag with an src to the attacker sites - and as we know the browser always sends the cookie...

Hey Milebroke,

Not sure which comment you wanted to leave a reply. If you refer to cookies, in the case of Lax and Strict they won't be sent to the attacker's website if we, for example, inject an image with the attackers URL as the source. That's because it's not considered a first level navigation event.

Although, it may be sent if the attacker creates a GET form and sends it by clicking the button through javascript. I have to admit that I have not tested this scenario, but you will be fine if you just use Strict flag, as it will prevent all cross domain cookie sharing.

code of conduct - report abuse