Httponly cookies are still added automatically to js initiated requests. It is n... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

ndriscoll on March 3, 2025 | parent | context | favorite | on: Why do we have both CSRF protection and CORS?

Httponly cookies are still added automatically to js initiated requests. It is not a legacy feature. You don't need to get it another way because you don't need to get it at all in js. It prevents XSS from stealing the cookie and sending it elsewhere (though a successful XSS could still use the cookie while the user is on the page).

hu3 on March 4, 2025 [–]

Thank you.

It's impressive how much misinformation there is in our field.

Some people read 1 paragraph from documentation and assume Httponly cookies are useless for SPAs.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact