logoalt Hacker News

stephbooktoday at 4:35 AM3 repliesview on HN

I still don't understand the threat model and, obviously, it's not explained here either.

I log in to social.net. I click on scam.org and change sites. I'm on scam.org and it triggers a request to social.net/friends.

No cookies are sent, no JWT. I'm not logged in and get a "Needs login" HTTP error. Nothing bad happens.

I thought that's how it works without CORS already.

Replies

abrahamtoday at 4:57 AM

By default cookies are sent for cross-origin requests. The SameSite cookie flag that lets sites control this was only shipped in Safari the year before this blog post was written so it would have been hard to depend on it yet.

https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Coo...

inigyoutoday at 8:35 AM

Your cookies are sent.

show 1 reply
teaearlgraycoldtoday at 4:49 AM

Cookies will be sent if SameSite=None. Because a lot of the web's security features were implemented well after the tech was popular it's a patch-work with lots of overlap.