From 03b6d862729103a463add4d24535637dcf10c419 Mon Sep 17 00:00:00 2001 From: Raphael Tholl <48417580+RapTho@users.noreply.github.com> Date: Sat, 2 Jan 2021 18:57:18 +0100 Subject: [PATCH] Edit based on feedback iliakan --- 6-data-storage/01-cookie/article.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/6-data-storage/01-cookie/article.md b/6-data-storage/01-cookie/article.md index d0619048..9fc5f695 100644 --- a/6-data-storage/01-cookie/article.md +++ b/6-data-storage/01-cookie/article.md @@ -200,7 +200,7 @@ The browser sends cookies every time you visit the site `bank.com`, even if the That's a so-called "Cross-Site Request Forgery" (in short, XSRF) attack. -Real banks are protected from it of course. All forms generated by `bank.com` have a special field, a so-called "XSRF protection token", that an evil page can't generate or extract from a remote page. It can submit a form there, but can't get the data back. Additionally, the site `bank.com` checks for such token in every form it receives. +Real banks are protected from it of course. All forms generated by `bank.com` have a special field, a so-called "XSRF protection token", that an evil page can't generate or extract from a remote page. It can submit a form there, but can't get the data back. The site `bank.com` checks for such token in every form it receives. Such a protection takes time to implement though. We need to ensure that every form has the required token field, and we must also check all requests. @@ -241,7 +241,7 @@ A `samesite=lax` cookie is sent if both of these conditions are true: That's usually true, but if the navigation is performed in an `