| ▲ | nchmy 3 hours ago | |
Client side js is not particularly relevant to csrf. | ||
| ▲ | tptacek 3 hours ago | parent [-] | |
I mostly agree, but that's the logic OWASP uses to argue you should still be doing explicit tokens even if you're using SameSite and Sec-Fetch. | ||