undefined | Better HN

0 pointslouiskottmann3mo ago0 comments

I appreciate that, but in the case of TLS or CSRF tokens the server is not blindly trusting the browser in the way Sec-Fetch-Site makes it.

0 comments

Sure it is. The same-origin rule that holds the whole web security model together is entirely a property of browser behavior.

That's indeed a good example of prior full trusting of the browser by the server.

j / k navigate · click thread line to collapse

0 pointslouiskottmann3mo ago0 comments

I appreciate that, but in the case of TLS or CSRF tokens the server is not blindly trusting the browser in the way Sec-Fetch-Site makes it.

Sure it is. The same-origin rule that holds the whole web security model together is entirely a property of browser behavior.

That's indeed a good example of prior full trusting of the browser by the server.

j / k navigate · click thread line to collapse