Doesn’t Samesite cookie and Sameorigin policy effectively does the same job?

Pardon me if I am wrong, however, I am looking for an answer for my understanding that isn’t the concerns regarding CSRF solved by both Samesite cookie and Same-Origin-Policy effectively? Then why is the need for 2 different things?

The b… Continue reading Doesn’t Samesite cookie and Sameorigin policy effectively does the same job?

Why not sandbox websites instead of using Same-Origin-Policy?

Why do Browsers implement a Same-Origin-Policy (SOP) to prevent open websites in the browser from executing scripts that may access / modify data of other open websites in the used browser?

Another more ‘usual’ approach would be to simply… Continue reading Why not sandbox websites instead of using Same-Origin-Policy?

Why was the Same-origin policy originally introduced (before XMLHttpRequest)?

As I understand it, the Same-origin policy (SOP) basically prevents a script in a web page from obtaining or sending information from/to a different domain.

I understand that this is important to prevent a page from grabbing private data … Continue reading Why was the Same-origin policy originally introduced (before XMLHttpRequest)?

Do best practices eliminate the need for a CSRF token when writing an API server?

I realize that OWASP recommends CSRF tokens but I rarely see them used with public standalone HTTP APIs. This would seem to indicate that they’re not always necessary.

To make this a little more concrete, I would envision the following sc… Continue reading Do best practices eliminate the need for a CSRF token when writing an API server?

Do best practices eliminate the need for a CSRF token when writing an API server?

I realize that OWASP recommends CSRF tokens but I rarely see them used with public standalone HTTP APIs. This would seem to indicate that they’re not always necessary.

To make this a little more concrete, I would envision the following sc… Continue reading Do best practices eliminate the need for a CSRF token when writing an API server?

Will the same JavaScript fetched by HTTP and HTTPS be cached separately by the browser?

Say that a web server supports both HTTP and HTTPS. If a browser fetches the same JavaScript with a HTTP GET and a HTTPS GET, and the JavaScript is cache-able, will the browser cache two copies of the same JavaScript?

The re… Continue reading Will the same JavaScript fetched by HTTP and HTTPS be cached separately by the browser?