If someone has taken over a subdomain in the ways described, that is not cross site request forgery since the attack is occurring from within your site. It’s more likely XSS that allows for cookie clobbering or similar, or just malicious code injected by the malicious controller of your subdomain. This is not strictly CSRF nor are these problems protected from any other standard form of CSRF defense.
CSRF is Cross Site attack where the attack is hosted on a different domain. -- Jim Manico > On Sep 25, 2021, at 1:07 AM, Dominick Baier <dba...@leastprivilege.com> wrote: > > > In 6.1 it says > > "Additionally, the SameSite cookie attribute can be used to > prevent CSRF attacks, or alternatively, the application and API > could > be written to use anti-CSRF tokens.” > > “Prevent” is a bit strong. > > SameSite only restricts cookies sent across site boundaries Iit does not > prevent CSRF attacks from within a site boundary. Scenarios could be a > compromised sub-domain, like sub-domain takeover or just some vulnerable > application co-located on the same site. > > thanks > ——— > Dominick Baier > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
