adevilinycDec 22

CSRF protection without tokens or hidden form fields

https://blog.miguelgrinberg.com/post/csrf-protection-without-tokens-or-hidden-form-fields

CSRF Protection without Tokens or Hidden Form Fields

A couple of months ago, I received a request from a random Internet user to add CSRF protection to my little web framework Microdot, and I thought it was a fantastic idea.When I set off to do this…

Show threadlouiskottmann

This is a massive change for cache in webapp templates as it makes their rendering more stable and thus more cacheable.

A key component here is that we are trusting the user's browser to not be tampered with, as it is the browser that sets the Sec-Fetch-Site header and guarantees it has not been tampered with.

I wonder if that's a new thing ? Do we already rely on browsers being correct in their implementation for something equally fundamental ?

Dec 25 at 5:12amWeb
Show threadtptacekDec 25
The entire web security model assumes we can trust browsers to implement web security policies!
Show threadlouiskottmannDec 25
I appreciate that, but in the case of TLS or CSRF tokens the server is not blindly trusting the browser in the way Sec-Fetch-Site makes it.
Show threadtptacekDec 25
Sure it is. The same-origin rule that holds the whole web security model together is entirely a property of browser behavior.