[weitzj]

As far as I understood, to prevent CSRF, you do a double submit:

- server sends an HTTP only cookie, which cannot be read from JavaScript - server sends a new CSRF token via Header/Form for each request

On POST send back the CSRF token via FORM/Header and let browser send along the HTTP only cookie

The owasp cheat sheets are a good read

[dagobah]

Yea, but doing it that way requires same origin policy not to be weakened like from CORS being misconfigured. http://blog.portswigger.net/2016/10/exploiting-cors-misconfi... talks about exploits from this.

But what I am wondering is if using "Access-Control-Allow-Origin: evil-site.example.com or *" can be used to exploit the cookie-to-header technique with a token for every request (GETS included), no form GETS (so token doesn't appear in url query), https, and no browser bugs or XSS vulnerabilities. The wiki articles suggest it could be exploited, but I'm thinking they're just worded conservatively.