- From: arturjanc <notifications@github.com>
- Date: Thu, 31 Jan 2019 07:37:05 -0800
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Thursday, 31 January 2019 15:37:27 UTC
Yes, the part of your site which expects to respond to CORS requests could still be vulnerable to CSRF. But requests to this part of your site will be made in `cors` mode so you can check the `Origin` header and make sure that the request is sent same-site, getting protection equivalent (or very close) to what `SameSite` cookies offer. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/769#issuecomment-459389463
Received on Thursday, 31 January 2019 15:37:27 UTC