First and foremost _____ is a giant hack to mitigate legacy mistakes.
Wow, every article on web technology should start this way. And lots of non-web technologies, too.
As a userscript author, it is some bullshit.
Unless I’m missing something, the post is plain wrong in some parts. You can’t POST to a Cross-Site API because the browser will send a CORS preflight first before sending the real request. The only way around that are iirc form submits, for that you need csrf protection.
Also the CORS proxy statement is wrong if I don’t misunderstand their point. They don’t break security because they are obviously not the cookie domain. They’re the proxy domain so the browser will never send cookies to it.
Anyways, don’t trust the post or me. Just read https://owasp.org/ for web security advice.
Thanks, very interesting. I’m a bit confused about what this means:
explicit credentials are unsuitable for server-rendered sites as they aren’t included in top-level navigation
What does “top-level navigation” mean here?
‘’’ Note: When I say “top-level” I am talking about the URL that you see in the address bar. So if you load fun-games.example in your URL bar and it makes a request to your-bank.example then fun-games.example is the top-level site. ‘’’ Meaning explicit creds won’t be sent. Even if fun-games knows how to send explicit creds, it can’t because fun-games does not have access to creds which stored for your-bank. Say suppose your-bank creds stored in local store. Since current URL is fun-games it can only access local storage of fun-games, not your-bank.
Thank you! I was always wondering why the heck this (mostly) useless and broken mechanism exists. I had hesitations about disabling it but had doubts about my understanding. Now I know I’m right