Y
Hacker News
new
|
ask
|
show
|
jobs
by
tptacek
182 days ago
The entire web security model assumes we can trust browsers to implement web security policies!
1 comments
louiskottmann
182 days ago
I appreciate that, but in the case of TLS or CSRF tokens the server is not blindly trusting the browser in the way Sec-Fetch-Site makes it.
link
tptacek
182 days ago
Sure it is. The same-origin rule that holds the whole web security model together is entirely a property of browser behavior.
link
louiskottmann
182 days ago
That's indeed a good example of prior full trusting of the browser by the server.
link