Hacker News new | comments | show | ask | jobs | submit login

It's not the same but aren't the httpOnly cookies kind of serve the same purpose? JS can't read these cookies at all?

JS can't (that protects against stealing the token) but the server still receives it even when the request originates from foreign domain. That's the gist of CSRF [0].

[0]: https://en.wikipedia.org/wiki/Cross-site_request_forgery

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact