issues: 648421105

This data as json

id node_id number title user state locked assignee milestone comments created_at updated_at closed_at author_association pull_request body repo type active_lock_reason performed_via_github_app
648421105 MDU6SXNzdWU2NDg0MjExMDU= 877 Consider dropping explicit CSRF protection entirely? 9599 open 0     8 2020-06-30T19:00:55Z 2020-07-01T19:12:16Z   OWNER from Feb 2017 has background here. The SameSite=lax cookie property effectively eliminates CSRF in modern browsers. shows 92.13% global support for it.

Datasette already uses SameSite=lax when it sets cookies by default:

A few options then. I could ditch CSRF protection entirely. I could make it optional - turn it off by default, but let users who care about that remaining 7.87% of global users opt back into it.

One catch: login CSRF: I don't see how SameSite=lax protects against that attack.

107914493 issue    

Links from other tables

Powered by Datasette · Query took 1.586ms · About: github-to-sqlite