Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

My best guess is that they are thinking of CSRF. With cookies, requests automatically carry the token, whereas with local storage you need to explicitly add the token. However, CORS does a lot to improve this situation. I note that CORS allows posting form data without pre-flight, but it is not immediately clear to me if posting a form cross domain will send cookies.


> but it is not immediately clear to me if posting a form cross domain will send cookies.

As sibling comment says, this is what SameSite is for.

If it's a POST form, SameSite=Lax or SameSite=Strict won't send the cookie.

If it's a GET form, SameSite=Strict won't send the cookie. SameSite=Lax might, I'm not entirely sure.


This is what the SameSite setting on the cookie controls




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: