undefined | Better HN

0 pointsnaasking3mo ago0 comments

> If we were to re-write browser standards today, cross-domain POST requests probably just wouldn't be permitted.

That would be a terrible idea IMO. The insecurity was fundamentally introduced by cookies, which were always a hack. Those should be omitted, and then authorization methods should be designed to learn the lessons from the 70s and 80s, as CSRF is just the latest incarnation of the Confused Deputy:

https://en.wikipedia.org/wiki/Confused_deputy_problem

0 comments

varenc3mo ago

Ah, so true. That's what i mean! Cross domain requests that pass along the target domain's cookies. As in, probably every cookie would default to current __Host-* behavior. (and then some other way to allow a cookie if you want. Also some way of expressing desired cookie behavior without a silly prefix on its name...)

j / k navigate · click thread line to collapse

0 pointsnaasking3mo ago0 comments

> If we were to re-write browser standards today, cross-domain POST requests probably just wouldn't be permitted.

https://en.wikipedia.org/wiki/Confused_deputy_problem

0 comments

varenc3mo ago

j / k navigate · click thread line to collapse