5,340
edits
Line 29: | Line 29: | ||
#* Due to same-origin policy, other websites cannot see the cookies for <code>shopping.com</code>. | #* Due to same-origin policy, other websites cannot see the cookies for <code>shopping.com</code>. | ||
Note that other origins | Note that other origins may be able to read hidden form fields and can send custom headers if <code>Access-Control-Allow-Origin</code> is set incorrectly. | ||
It is important for the backend to check the XSRF key against one that other websites cannot read. | |||
If you send the XSRF token in a cookie and a hidden form field, this will not require any JS since the browser will automatically repeat the hidden form field. | If you send the XSRF token in a cookie and a hidden form field, this will not require any JS since the browser will automatically repeat the hidden form field. |