In 6.1 it says
"Additionally, the SameSite cookie attribute can be used to
prevent CSRF attacks, or alternatively, the application and API could
be written to use anti-CSRF tokens.”
“Prevent” is a bit strong.
SameSite only restricts cookies sent across site boundaries Iit does not
prevent CSRF attacks from within a site boundary. Scenarios could be a
compromised sub-domain, like sub-domain takeover or just some vulnerable
application co-located on the same site.
thanks
———
Dominick Baier
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
