|
|
|
|
|
|
by dagss
253 days ago
|
|
|
Yes, this is documenting one particular way of doing CSRF. A specific implementation. The OP is documenting another implementation to protect against CSRF, which is unsuitable for many since it fails to protect 5% of browsers, but still an interesting look at the road ahead for CSRF and in some years perhaps everyone will change how this is done. And you say isn't OK, but have not in my opinion properly argued for why not. |
|
|
You can change a setting on caniuse.com and it excludes untracked browsers. Sec-Fetch-Site goes up to 97.6, with remainder being a bit of safari (which will likely update soon) and some people still on ancient versions of chrome.
The fallback origin header goes to 99.8 coverage.