| ▲ | louiskottmann 2 hours ago | |||||||
I appreciate that, but in the case of TLS or CSRF tokens the server is not blindly trusting the browser in the way Sec-Fetch-Site makes it. | ||||||||
| ▲ | tptacek 2 hours ago | parent [-] | |||||||
Sure it is. The same-origin rule that holds the whole web security model together is entirely a property of browser behavior. | ||||||||
| ||||||||