> Isn't that what CSRF protections are for, not CORS?
Without the same origin policy CSRF protections would be trivial to circumvent, since you’d be able to read the CSRF token from any page.
> Isn't that what CSRF protections are for, not CORS?
Without the same origin policy CSRF protections would be trivial to circumvent, since you’d be able to read the CSRF token from any page.
Sure, but that falls under the "no unauthorised GET data" thing I talked about...?