| ▲ | tptacek 3 hours ago | |
No? The whole point of SameSite=(!none) is to prevent requests from unexpectedly carrying cookies, which is how CSRF attacks work. | ||
| ▲ | hatefulheart 2 hours ago | parent [-] | |
What does this even mean? I’m not being rude, what does it mean to unexpectedly carry cookies? That’s not what I understand the risk of CSRF is. My understanding is that we want to ensure a POST came from our website and we do so with a double signed HMAC token that is present in the form AND the cookie, which is also tied to the session. What on earth is unexpectedly carrying cookies? | ||