Simon Willison’s Weblog

Tuesday, 3rd August 2021

Exploring the SameSite cookie attribute for preventing CSRF

In reading Yan Zhu’s excellent write-up of the JSON CSRF vulnerability she found in OkCupid one thing puzzled me: I was under the impression that browsers these days default to treating cookies as SameSite=Lax, so I would expect attacks like the one Yan described not to work in modern browsers.

[... 2161 words]

2021 » August

MTWTFSS
      1
2345678
9101112131415
16171819202122
23242526272829
3031