- From: Francois Marier <notifications@github.com>
- Date: Tue, 29 Nov 2016 11:59:10 -0800
- To: whatwg/fetch <fetch@noreply.github.com>
Received on Tuesday, 29 November 2016 19:59:44 UTC
Facebook uses that header when it's available, otherwise, I think they fall back to checking the Referrer, which is a lot less reliable. To prevent login CSRF, we can't rely on cookies because users don't have cookies at that point (for various reasons, not every site is able to set pre-login cookies). I'm open to renaming the header if Chrome is on board too (and we think we can do it), but what Chrome does seem like a worthwhile mechanism, especially if we want sites to move away from relying on Referrer on their login pages. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/225#issuecomment-263681215
Received on Tuesday, 29 November 2016 19:59:44 UTC