You received this message because you are subscribed to a topic in the Google Groups "Mojolicious" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/mojolicious/Cngym3QNeQs/unsubscribe.
To unsubscribe from this group and all its topics, send an email to mojolicious...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/mojolicious/6cce769b-2b91-4532-aa01-cf5cc58a0d5bn%40googlegroups.com.
I think that most browsers default to SameSite=Lax (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite), so you could still do a CSRF attack via a GET request / top-level navigation, although that’s only if you’ve coded your application to *do* things in a GET request.
If you explicitly use SameSite=Strict, then I suppose that CSRF protections could probably matter less. I hadn’t actually thought about that until now. I wonder about CSRF attacks that don’t require cookies. It’s been a few months since I’ve chatted with security experts, but I think I was advised to ensure CSRF protection as well as secure strict cookies.
72/330 Wattle St
Ultimo, NSW 2007
Office: 02 9212 0899
Online: 02 8005 0595
You received this message because you are subscribed to the Google Groups "Mojolicious" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mojolicious...@googlegroups.com.