> Cookies with HttpOnly attribute can't be read on the client
That's not right, they only can't be read in client JavaScript. Can certainly be read by the client (browser) and in a non-browser context (curl, node) it's irrelevant (like CSP).
> Same-Site: This attribute controls whether 3rd party assets can set their own cookies
1 comment
[ 4.4 ms ] story [ 9.7 ms ] threadThat's not right, they only can't be read in client JavaScript. Can certainly be read by the client (browser) and in a non-browser context (curl, node) it's irrelevant (like CSP).
> Same-Site: This attribute controls whether 3rd party assets can set their own cookies
No... that's not what same-site means. https://owasp.org/www-community/SameSite