Hacker News
new
|
past
|
comments
|
ask
|
show
|
jobs
|
submit
login
jvehent
on Feb 20, 2017
|
parent
|
context
|
favorite
| on:
Cross-Site Request Forgery is dead
"You may be tempted to use JWT instead of a database of session cookies. Please don't. Here's why:
http://cryto.net/~joepie91/blog/attachments/jwt-flowchart.pn...
"
source:
https://twitter.com/j4cob/status/831286673644216320
chncdcksn
on Feb 20, 2017
[–]
I may be wrong, but I don't think JavaScripts from a CDN can access the same localStorage as some JavaScript from another origin. (Source: "Cross-origin data storage access"
https://developer.mozilla.org/en-US/docs/Web/Security/Same-o...
)
tprynn
on Feb 20, 2017
|
parent
[–]
You are wrong. The 'origin' of a script is the domain which loads it, not the domain where it is hosted. (Those can be the same, though.)
chncdcksn
on Feb 21, 2017
|
root
|
parent
[–]
TIL. Thanks!
Consider applying for YC's Spring batch! Applications are open till Feb 11.
Guidelines
|
FAQ
|
Lists
|
API
|
Security
|
Legal
|
Apply to YC
|
Contact
Search:
source: https://twitter.com/j4cob/status/831286673644216320