DEV Community

Discussion on: CSRF tokens for SPAs - Possible?

michi profile image
Michael Z Author

Yea, it was fixed ages ago, but with ES6 proxies, it resurfaced. Now everything is fine again, but it could appear again with new browser features.

But there are also other security mechanisms since then to protect from it like SameSite, CORB (JSON hijacking is referred to as XSSI in that article), and the nosniff header.