Wednesday 3 February 2016

First-Party-Only Cookies - nice solution to mitigate CSRF

Just saw which proposes

   This document updates RFC6265 by defining a "First-Party-Only"
   attribute which allows servers to assert that a cookie ought to be
   sent only in a "first-party" context.  This assertion allows user
   agents to mitigate the risk of cross-site request forgery attacks,
   and other related paths to cross-origin information leakage.

It looks really good, and it seems that Chrome 50 is going to support it

The current solution seems to be inspired by the SameDomain Cookie attribute as described at

I actually prefer the SameDomain name to First-Party-Cookies :)