Really nice post about CSRF!
But the xsrf cookie is not httpOnly then what if in evil-site there's a script to get and put it in X-XSRF-HEADER before sending request? Is there an alternative solution to prevent this? Really want to hear from you.
He mentioned the following: "The server also adds an xsrfToken in a cookie (why cookie? cause cookies are limited by same-origin policy)."
From MDN: Access to data stored in the browser such as Web Storage and IndexedDB are separated by origin. Each origin gets its own separate storage, and JavaScript in one origin cannot read from or write to the storage belonging to another origin. Cookies use a separate definition of origins.
(developer.mozilla.org/en-US/docs/W...)
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
Really nice post about CSRF!
But the xsrf cookie is not httpOnly then what if in evil-site there's a script to get and put it in X-XSRF-HEADER before sending request? Is there an alternative solution to prevent this? Really want to hear from you.
He mentioned the following: "The server also adds an xsrfToken in a cookie (why cookie? cause cookies are limited by same-origin policy)."
From MDN: Access to data stored in the browser such as Web Storage and IndexedDB are separated by origin. Each origin gets its own separate storage, and JavaScript in one origin cannot read from or write to the storage belonging to another origin. Cookies use a separate definition of origins.
(developer.mozilla.org/en-US/docs/W...)