Y
Hacker News
new
|
ask
|
show
|
jobs
by
blntechie
3334 days ago
It's not the same but aren't the httpOnly cookies kind of serve the same purpose? JS can't read these cookies at all?
1 comments
hdhzy
3334 days ago
JS can't (that protects against stealing the token) but the server still receives it even when the request originates from foreign domain. That's the gist of CSRF [0].
[0]:
https://en.wikipedia.org/wiki/Cross-site_request_forgery
link
[0]: https://en.wikipedia.org/wiki/Cross-site_request_forgery