Julia EvansFeb 5

something I'm struggling to understand about browser security is why you can send cross-origin POST requests with the user's cookies with a form, but the exact same fetch() call won't include the cookies

(I mean it's clear why we would NOT want to include the cookies, but it feels weird that it's allowed in one context but not in another)

Show threadjcoglanFeb 5
@b0rk partly historical reasons and partly that script cannot read the response to a POST submitted via a form. letting it send the request still carries risk though
Show threadjcoglanFeb 5
@b0rk (a long time ago I have had to do cross origin work by making a script construct a <form> and submit it)
Show threadJulia EvansFeb 5

@jcoglan it feels like we think allowing this kind of cross-origin POST request is bad but also once we realized that it was bad it was too late to change it

(though I guess browsers are actually evolving the SameSite defaults so things are changing slowly)

Show threadwrosecrans
@b0rk @jcoglan "once we realized that it was bad it was too late to change it" is probably a good summary of the stack as a whole, not just POST requests.
Feb 5 at 7:51pmWeb