|
|
|
|
|
|
by Ironlink
930 days ago
|
|
|
My best guess is that they are thinking of CSRF. With cookies, requests automatically carry the token, whereas with local storage you need to explicitly add the token. However, CORS does a lot to improve this situation. I note that CORS allows posting form data without pre-flight, but it is not immediately clear to me if posting a form cross domain will send cookies. |
|
|
As sibling comment says, this is what SameSite is for.
If it's a POST form, SameSite=Lax or SameSite=Strict won't send the cookie.
If it's a GET form, SameSite=Strict won't send the cookie. SameSite=Lax might, I'm not entirely sure.