| Again, the maintainer eventually came around. Our confusion might be due to the fact that an erroneous PR (by seemingly an AI-wielding student...) was somehow recently accepted that completely reverted the changes we collectively worked on, which effectively made Fetch Metadata a full solution. So, it is back to showing as defense in depth. I've raised an issue about it, which wouldn't have happened if I didn't see your article! Here's the previous language: > If your software targets only modern browsers, you may rely on [Fetch Metadata headers](#fetch-metadata-headers) together with the fallback options described below to block cross-site state-changing requests We then detailed some fallbacks (eg Origin header). Full text can be viewed in the original PR https://github.com/OWASP/CheatSheetSeries/pull/1875 or https://github.com/OWASP/CheatSheetSeries/blob/7fc3e6b8fde65... If after reading that you still think that Fetch Metadata is not a viable full solution, I'd be curious to know why - the goal of that PR (and the preceding discussion that I instigated) was to upgrade it from Defense in Depth to Full (even if slightly less full than tokens, due to the possible need for some fallbacks). |
Confession, I did not read the PR. I assumed that what is currently published in the cheatsheet is the same as the PR. This is what guided my analysis.
I will update my article to be in agreement with reality, now that I understand it. Thanks!