1 comment

[ 4.4 ms ] story [ 9.7 ms ] thread
> Cookies with HttpOnly attribute can't be read on the client

That's not right, they only can't be read in client JavaScript. Can certainly be read by the client (browser) and in a non-browser context (curl, node) it's irrelevant (like CSP).

> Same-Site: This attribute controls whether 3rd party assets can set their own cookies

No... that's not what same-site means. https://owasp.org/www-community/SameSite