undefined | Better HN

0 pointsFiloSottile5mo ago0 comments

Browser vendors have absolutely thought about this, at length.

The web platform is intricate, legacy, and critical. Websites by and large can’t and don’t break with browser updates, which makes all of these things like operating on the engine in flight.

For example, click through some of the multiple iterations of the Schemeful Same Site proposal linked from my blog.

Thing is, SameSite’s primary goal was not CSRF prevention, it was privacy. CSRF is what Fetch metadata is for.

0 comments

hn_throwaway_995mo ago

> Thing is, SameSite’s primary goal was not CSRF prevention, it was privacy.

That doesn't make any sense to me, can you explain? Cookies were only ever readable or writable by the site that created them, even before SameSite existed. Even with a CSRF vulnerability, the attacker could never read the response from the forged request. So it seems to me that SameSite fundamentally is more about preventing CSRF vulnerabilities - it actually doesn't do much (beyond that) in terms of privacy, unless I'm missing something.

j / k navigate · click thread line to collapse

0 comments

hn_throwaway_995mo ago

> Thing is, SameSite’s primary goal was not CSRF prevention, it was privacy.

j / k navigate · click thread line to collapse