- From: Brad Hill <notifications@github.com>
- Date: Thu, 01 Dec 2016 16:14:06 -0800
- To: whatwg/fetch <fetch@noreply.github.com>
Received on Friday, 2 December 2016 00:14:44 UTC
Yes, in some jurisdictions there are restrictions about setting cookies that might be used to track logged-out user behavior. The entropic cookie one would need to prevent login CSRF looks exactly like a tracking cookie, so being able to get a reliable Origin header on POST helps prevent attacks like the one described at http://sakurity.com/reconnect -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/225#issuecomment-264336206
Received on Friday, 2 December 2016 00:14:44 UTC