|
|
|
|
|
|
by szmarczak
6 days ago
|
|
|
> they tend to require disabling HttpOnly for not very good reasons First time I'm hearing that frameworks require disabling HttpOnly. > Disabling iframes doesn't fix CSRF. You can still <form method="..." /> or <img /> tags or whatever. Obviously. IMG tags don't work because of CORS (unless you explicitly allow this) nor script tags etc. Browsers send Origin and Sec-Fetch- headers which you can use to block POST navigation requests from other origins, like you mentioned. But when you're using tokens in JavaScript then you don't have to worry because you already have your CSRF token, which is inaccessible to third parties and no form submit will include it. That's why local storage is more secure. |
|
|
They effectively do in the case where you're using local storage because they need to grab the session token from somewhere. The thing about HttpOnly is that JS code never even gets to see the session token. Which is a mitigation for a whole class of vulnerabilities.
> ...CSRF
You have to mitigate CSRF server-side (with a CSRF token, checking the Sec-Fetch-* headers) or by using SameSite on the client side (ideally both)
There's a reason "don't use local storage for security sensitive stuff" is part of the OWASP cheatsheet[1]
[1]: https://cheatsheetseries.owasp.org/cheatsheets/HTML5_Securit...