|
|
|
|
|
|
by bawolff
2355 days ago
|
|
|
> as it doesn't rely on site developers updating and setting the new flag right. Chrome is enabling this flag by default. Websites can opt out, but if they do nothing they are opted in. Blocking third party cookies doesnt really stop csrf attacks. At most it makes the attack a bit more noticeable as it prevents some of the quieter methods of pulling off the attack. Since as far as i understand, if you submit a cross-domain POST form, that's still a first party cookie |
|
|