Closed ljrk0 closed 2 months ago
Would you care to PR this? Keep in mind this would break sites where authenticated users would need to visit different subdomains.
Sure, can do! In that case, maybe we should also re-phrase the current text about __Host-
which IMHO is a bit unclear:
Another solution for this problem [...]
It's not completely obvious to me what "this problem" is referring to.
Additionally, I wouldn't call this as "another solution" as this sounds too much like an alternative. Especially with older clients is crucial to not see this as an alternative to existing In-Depth measures but as an extension/addition.
I'll draft something and we can iterate on that!
Fixed with #1374
What is missing or needs to be updated?
While #332 added the
__Host-
prefix as per the discussion in #195, the (admittedly weaker)__Secure-
prefix was not added to the CSRF cheat sheet, despite being mentioned in the thread: https://github.com/OWASP/CheatSheetSeries/issues/195#issuecomment-533914778How should this be resolved?
Arguably this prefix should be added as well, either as a recommendation for those cases were domain-locked
__Host-
prefixes are not possible to implement, or as a warning to check whether indeed this weakened protection is actually applicable.