Technically yes, CSRF refers to cross-site attacks. However, there is a class of attacks that are cross-*origin* but not cross-site and which are otherwise identical to CSRF. SameSite doesn’t protect against these attacks but other traditional CSRF defences *do*. For example, synchronizer tokens in hidden form fields or even just requiring a custom header on requests both provide some protection against such attacks, as they both use mechanisms that are subject to the same origin policy rather than same-site.
— Neil > On 25 Sep 2021, at 18:20, Jim Manico <j...@manicode.com> wrote: > > If someone has taken over a subdomain in the ways described, that is not > cross site request forgery since the attack is occurring from within your > site. It’s more likely XSS that allows for cookie clobbering or similar, or > just malicious code injected by the malicious controller of your subdomain. > This is not strictly CSRF nor are these problems protected from any other > standard form of CSRF defense. > > CSRF is Cross Site attack where the attack is hosted on a different domain. > > -- > Jim Manico > >>> On Sep 25, 2021, at 1:07 AM, Dominick Baier <dba...@leastprivilege.com> >>> wrote: >>> >> >> In 6.1 it says >> >> "Additionally, the SameSite cookie attribute can be used to >> prevent CSRF attacks, or alternatively, the application and API >> could >> be written to use anti-CSRF tokens.” >> >> “Prevent” is a bit strong. >> >> SameSite only restricts cookies sent across site boundaries Iit does not >> prevent CSRF attacks from within a site boundary. Scenarios could be a >> compromised sub-domain, like sub-domain takeover or just some vulnerable >> application co-located on the same site. >> >> thanks >> ——— >> Dominick Baier >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth -- Manage My Preferences <https://preferences.forgerock.com/>, Unsubscribe <https://preferences.forgerock.com/>
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
