|
|
|
|
|
|
by tcheard
3292 days ago
|
|
|
I wasn't saying a CSRF token saves you here. All I'm saying is that security is a complicated topic. People already misunderstand things like CSRF, CORS, resource protection, etc. And they already get them wrong. CORS is designed to loosen the security protections added by a same origin policy. It is not designed to increase security. Piling on CSRF protections is just blurring the use case for CORS. All this is going to do is confuse people more, and more people are going to get it wrong. |
|
|