1c:["$","$L1d",null,{"blockContent":[{"object":"block","id":"291dc9c5-3059-80dc-9284-c41375e26422","parent":{"type":"page_id","page_id":"291dc9c5-3059-80c2-8b54-e01fdaadacd7"},"created_time":"2025-10-19T15:38:00.000Z","last_edited_time":"2025-10-19T16:03:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":true,"in_trash":false,"type":"toggle","toggle":{"rich_text":[{"type":"text","text":{"content":"What is CSRF?","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"What is CSRF?","href":null}],"color":"default"},"archived":false,"children":[{"object":"block","id":"291dc9c5-3059-800c-ba4d-fa8b0854e363","parent":{"type":"block_id","block_id":"291dc9c5-3059-80dc-9284-c41375e26422"},"created_time":"2025-10-19T15:57:00.000Z","last_edited_time":"2025-10-19T15:57:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Cross-site request forgery (CSRF) is a web security vulnerability that allows an attacker to trick users into performing actions they don't intend to perform. It partially bypasses the same origin policy, which is designed to prevent different websites from interfering with each other.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Cross-site request forgery (CSRF) is a web security vulnerability that allows an attacker to trick users into performing actions they don't intend to perform. It partially bypasses the same origin policy, which is designed to prevent different websites from interfering with each other.","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"291dc9c5-3059-8026-92ce-d6b8d3936637","parent":{"type":"block_id","block_id":"291dc9c5-3059-80dc-9284-c41375e26422"},"created_time":"2025-10-19T15:57:00.000Z","last_edited_time":"2025-10-19T15:57:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"divider","divider":{},"archived":false},{"object":"block","id":"291dc9c5-3059-8025-9fa0-f7111e5aebd8","parent":{"type":"block_id","block_id":"291dc9c5-3059-80dc-9284-c41375e26422"},"created_time":"2025-10-19T15:57:00.000Z","last_edited_time":"2025-10-19T15:59:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Impact","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Impact","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"291dc9c5-3059-80ab-ba23-e595d551b07d","parent":{"type":"block_id","block_id":"291dc9c5-3059-80dc-9284-c41375e26422"},"created_time":"2025-10-19T15:57:00.000Z","last_edited_time":"2025-10-19T15:59:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"In a successful CSRF attack, the attacker tricks the victim into performing actions without their knowledge. This could include changing their account email address, changing their password, or transferring money. Depending on the action, the attacker might gain full control of the user's account. If the victim user has administrative privileges, the attacker could take control of all the application's data and functionality.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"In a successful CSRF attack, the attacker tricks the victim into performing actions without their knowledge. This could include changing their account email address, changing their password, or transferring money. Depending on the action, the attacker might gain full control of the user's account. If the victim user has administrative privileges, the attacker could take control of all the application's data and functionality.","href":null}],"icon":null,"color":"default"},"archived":false}]},{"object":"block","id":"291dc9c5-3059-805e-a618-c90a35a0acb1","parent":{"type":"page_id","page_id":"291dc9c5-3059-80c2-8b54-e01fdaadacd7"},"created_time":"2025-10-19T16:00:00.000Z","last_edited_time":"2025-10-19T16:45:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":true,"in_trash":false,"type":"toggle","toggle":{"rich_text":[{"type":"text","text":{"content":"How Does CSRF Work?","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"How Does CSRF Work?","href":null}],"color":"default"},"archived":false,"children":[{"object":"block","id":"291dc9c5-3059-80ce-8e6a-f78704b39124","parent":{"type":"block_id","block_id":"291dc9c5-3059-805e-a618-c90a35a0acb1"},"created_time":"2025-10-19T16:00:00.000Z","last_edited_time":"2025-10-19T16:00:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"For CSRF to be possible, three things must be true:","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"For CSRF to be possible, three things must be true:","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"291dc9c5-3059-8076-bfd1-fcee6e6c76f4","parent":{"type":"block_id","block_id":"291dc9c5-3059-805e-a618-c90a35a0acb1"},"created_time":"2025-10-19T16:00:00.000Z","last_edited_time":"2025-10-19T16:00:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":true,"in_trash":false,"type":"numbered_list_item","numbered_list_item":{"rich_text":[{"type":"text","text":{"content":"A relevant action exists.","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"A relevant action exists.","href":null}],"color":"default"},"archived":false,"children":[{"object":"block","id":"291dc9c5-3059-801b-9c0d-dee42c1e34f4","parent":{"type":"block_id","block_id":"291dc9c5-3059-8076-bfd1-fcee6e6c76f4"},"created_time":"2025-10-19T16:00:00.000Z","last_edited_time":"2025-10-19T16:00:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"The application performs an action when given a request (for example: change the user’s email or password).","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"The application performs an action when given a request (for example: change the user’s email or password).","href":null}],"icon":null,"color":"default"},"archived":false}]},{"object":"block","id":"291dc9c5-3059-8067-89bc-c4a26855cbdc","parent":{"type":"block_id","block_id":"291dc9c5-3059-805e-a618-c90a35a0acb1"},"created_time":"2025-10-19T16:00:00.000Z","last_edited_time":"2025-10-19T16:00:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":true,"in_trash":false,"type":"numbered_list_item","numbered_list_item":{"rich_text":[{"type":"text","text":{"content":"Cookie-based session handling.","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Cookie-based session handling.","href":null}],"color":"default"},"archived":false,"children":[{"object":"block","id":"291dc9c5-3059-80aa-8295-d04f324fb483","parent":{"type":"block_id","block_id":"291dc9c5-3059-8067-89bc-c4a26855cbdc"},"created_time":"2025-10-19T16:00:00.000Z","last_edited_time":"2025-10-19T16:00:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"The app uses cookies to identify the user, and the browser will automatically send those cookies with requests the user’s browser makes.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"The app uses cookies to identify the user, and the browser will automatically send those cookies with requests the user’s browser makes.","href":null}],"icon":null,"color":"default"},"archived":false}]},{"object":"block","id":"291dc9c5-3059-802a-a661-d7c4f356aa73","parent":{"type":"block_id","block_id":"291dc9c5-3059-805e-a618-c90a35a0acb1"},"created_time":"2025-10-19T16:00:00.000Z","last_edited_time":"2025-10-19T16:00:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":true,"in_trash":false,"type":"numbered_list_item","numbered_list_item":{"rich_text":[{"type":"text","text":{"content":"No unpredictable request parameters.","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"No unpredictable request parameters.","href":null}],"color":"default"},"archived":false,"children":[{"object":"block","id":"291dc9c5-3059-800c-b315-fe2b157abcb6","parent":{"type":"block_id","block_id":"291dc9c5-3059-802a-a661-d7c4f356aa73"},"created_time":"2025-10-19T16:00:00.000Z","last_edited_time":"2025-10-19T16:19:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"The request must not require values an attacker can’t guess. If the request requires a value the attacker can’t know or guess (like the user's current password, or a unique, per-request token), the attack will fail.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"The request must not require values an attacker can’t guess. If the request requires a value the attacker can’t know or guess (like the user's current password, or a unique, per-request token), the attack will fail.","href":null}],"icon":null,"color":"default"},"archived":false}]},{"object":"block","id":"291dc9c5-3059-8099-a263-fa711c925f80","parent":{"type":"block_id","block_id":"291dc9c5-3059-805e-a618-c90a35a0acb1"},"created_time":"2025-10-19T16:00:00.000Z","last_edited_time":"2025-10-19T16:00:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"divider","divider":{},"archived":false},{"object":"block","id":"291dc9c5-3059-80cc-b888-de8d75a3fd29","parent":{"type":"block_id","block_id":"291dc9c5-3059-805e-a618-c90a35a0acb1"},"created_time":"2025-10-19T16:00:00.000Z","last_edited_time":"2025-10-19T16:00:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Example — legitimate request the app expects:","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Example — legitimate request the app expects:","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"291dc9c5-3059-80d5-ad01-db2415d6bbf4","parent":{"type":"block_id","block_id":"291dc9c5-3059-805e-a618-c90a35a0acb1"},"created_time":"2025-10-19T16:10:00.000Z","last_edited_time":"2025-10-19T16:11:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"suppose an application contains a function that lets the user change the email address on their account. ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"suppose an application contains a function that lets the user change the email address on their account. ","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"291dc9c5-3059-80f4-b8d0-e3fb3739e540","parent":{"type":"block_id","block_id":"291dc9c5-3059-805e-a618-c90a35a0acb1"},"created_time":"2025-10-19T16:00:00.000Z","last_edited_time":"2025-10-19T16:21:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"code","code":{"caption":[],"rich_text":[{"type":"text","text":{"content":"POST /email/change HTTP/1.1\nHost: vulnerable-website.com\nContent-Type: application/x-www-form-urlencoded\nContent-Length: 30\nCookie: session=yvthwsztyeQkAPzeQ5gHgTvlyxHfsAfE\n\nemail=wiener@normal-user.com","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"POST /email/change HTTP/1.1\nHost: vulnerable-website.com\nContent-Type: application/x-www-form-urlencoded\nContent-Length: 30\nCookie: session=yvthwsztyeQkAPzeQ5gHgTvlyxHfsAfE\n\nemail=wiener@normal-user.com","href":null}],"language":"plain text"},"archived":false},{"object":"block","id":"291dc9c5-3059-80bb-8e23-e1da949f5c5a","parent":{"type":"block_id","block_id":"291dc9c5-3059-805e-a618-c90a35a0acb1"},"created_time":"2025-10-19T16:00:00.000Z","last_edited_time":"2025-10-19T16:00:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"This meets the CSRF conditions because:","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"This meets the CSRF conditions because:","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"291dc9c5-3059-806e-abb7-c26d41aa68bd","parent":{"type":"block_id","block_id":"291dc9c5-3059-805e-a618-c90a35a0acb1"},"created_time":"2025-10-19T16:00:00.000Z","last_edited_time":"2025-10-19T16:00:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"The action (changing the email) is useful to an attacker.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"The action (changing the email) is useful to an attacker.","href":null}],"color":"default"},"archived":false},{"object":"block","id":"291dc9c5-3059-8006-be13-e68ec25d68e6","parent":{"type":"block_id","block_id":"291dc9c5-3059-805e-a618-c90a35a0acb1"},"created_time":"2025-10-19T16:00:00.000Z","last_edited_time":"2025-10-19T16:00:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"The application uses the session cookie to identify the user.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"The application uses the session cookie to identify the user.","href":null}],"color":"default"},"archived":false},{"object":"block","id":"291dc9c5-3059-8058-b2ce-ee25b0c9c02d","parent":{"type":"block_id","block_id":"291dc9c5-3059-805e-a618-c90a35a0acb1"},"created_time":"2025-10-19T16:00:00.000Z","last_edited_time":"2025-10-19T16:00:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"There are no secret parameters the attacker can’t predict.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"There are no secret parameters the attacker can’t predict.","href":null}],"color":"default"},"archived":false},{"object":"block","id":"291dc9c5-3059-802c-92cd-c89dd29b79d9","parent":{"type":"block_id","block_id":"291dc9c5-3059-805e-a618-c90a35a0acb1"},"created_time":"2025-10-19T16:00:00.000Z","last_edited_time":"2025-10-19T16:00:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"divider","divider":{},"archived":false},{"object":"block","id":"291dc9c5-3059-8005-8a2f-f427918d7563","parent":{"type":"block_id","block_id":"291dc9c5-3059-805e-a618-c90a35a0acb1"},"created_time":"2025-10-19T16:00:00.000Z","last_edited_time":"2025-10-19T16:24:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"If the above conditions exist, an attacker construct a web page (","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"If the above conditions exist, an attacker construct a web page (","href":null},{"type":"text","text":{"content":"attacker-evil-site.com","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"attacker-evil-site.com","href":null},{"type":"text","text":{"content":") containing this HTML:","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":") containing this HTML:","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"291dc9c5-3059-802b-b2c8-d26ac6badd4d","parent":{"type":"block_id","block_id":"291dc9c5-3059-805e-a618-c90a35a0acb1"},"created_time":"2025-10-19T16:00:00.000Z","last_edited_time":"2025-10-19T16:01:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"code","code":{"caption":[],"rich_text":[{"type":"text","text":{"content":"\n \n \n \n \n","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"\n \n \n \n \n","href":null}],"language":"html"},"archived":false},{"object":"block","id":"291dc9c5-3059-804e-9e6c-f50eedbb7523","parent":{"type":"block_id","block_id":"291dc9c5-3059-805e-a618-c90a35a0acb1"},"created_time":"2025-10-19T16:00:00.000Z","last_edited_time":"2025-10-19T16:45:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"What happens:","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"What happens:","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"291dc9c5-3059-803f-9f16-f81b86b3f94e","parent":{"type":"block_id","block_id":"291dc9c5-3059-805e-a618-c90a35a0acb1"},"created_time":"2025-10-19T16:45:00.000Z","last_edited_time":"2025-10-19T16:45:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"Victim visits ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Victim visits ","href":null},{"type":"text","text":{"content":"attacker-evil-site.com","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"attacker-evil-site.com","href":null},{"type":"text","text":{"content":".","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":".","href":null}],"color":"default"},"archived":false},{"object":"block","id":"291dc9c5-3059-8099-bd36-de0ca73696b6","parent":{"type":"block_id","block_id":"291dc9c5-3059-805e-a618-c90a35a0acb1"},"created_time":"2025-10-19T16:25:00.000Z","last_edited_time":"2025-10-19T16:25:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"attacker-evil-site.com","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"attacker-evil-site.com","href":null},{"type":"text","text":{"content":" contains a hidden HTML form and a script that auto-submits it.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" contains a hidden HTML form and a script that auto-submits it.","href":null}],"color":"default"},"archived":false},{"object":"block","id":"291dc9c5-3059-80bd-b930-e341a905d70e","parent":{"type":"block_id","block_id":"291dc9c5-3059-805e-a618-c90a35a0acb1"},"created_time":"2025-10-19T16:26:00.000Z","last_edited_time":"2025-10-19T16:27:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"Victim’s browser executes the script and POST request to ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Victim’s browser executes the script and POST request to ","href":null},{"type":"text","text":{"content":"https://vulnerable-website.com/email/change","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"https://vulnerable-website.com/email/change","href":null},{"type":"text","text":{"content":".","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":".","href":null}],"color":"default"},"archived":false},{"object":"block","id":"291dc9c5-3059-8023-8c9c-d8f362b2c40c","parent":{"type":"block_id","block_id":"291dc9c5-3059-805e-a618-c90a35a0acb1"},"created_time":"2025-10-19T16:00:00.000Z","last_edited_time":"2025-10-19T16:27:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"Crucially,","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Crucially,","href":null},{"type":"text","text":{"content":" because the request is going to ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" because the request is going to ","href":null},{"type":"text","text":{"content":"vulnerable-website.com","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"vulnerable-website.com","href":null},{"type":"text","text":{"content":", victim’s browser ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":", victim’s browser ","href":null},{"type":"text","text":{"content":"automatically ","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"automatically ","href":null},{"type":"text","text":{"content":"attaches the session cookie to the request.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"attaches the session cookie to the request.","href":null}],"color":"default"},"archived":false},{"object":"block","id":"291dc9c5-3059-80e6-985a-dcd9f6e68a58","parent":{"type":"block_id","block_id":"291dc9c5-3059-805e-a618-c90a35a0acb1"},"created_time":"2025-10-19T16:00:00.000Z","last_edited_time":"2025-10-19T16:00:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"The vulnerable site receives the request and treats it as if the logged-in user made it.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"The vulnerable site receives the request and treats it as if the logged-in user made it.","href":null}],"color":"default"},"archived":false},{"object":"block","id":"291dc9c5-3059-803d-901f-ccea804c4c30","parent":{"type":"block_id","block_id":"291dc9c5-3059-805e-a618-c90a35a0acb1"},"created_time":"2025-10-19T16:00:00.000Z","last_edited_time":"2025-10-19T16:00:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"The user’s email is changed to ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"The user’s email is changed to ","href":null},{"type":"text","text":{"content":"owned@evil-user.net","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"owned@evil-user.net","href":null},{"type":"text","text":{"content":" without their knowledge.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" without their knowledge.","href":null}],"color":"default"},"archived":false},{"object":"block","id":"291dc9c5-3059-8071-b20c-cfe0a141488f","parent":{"type":"block_id","block_id":"291dc9c5-3059-805e-a618-c90a35a0acb1"},"created_time":"2025-10-19T16:00:00.000Z","last_edited_time":"2025-10-19T16:00:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"divider","divider":{},"archived":false},{"object":"block","id":"291dc9c5-3059-8094-8917-cf6960b64ffd","parent":{"type":"block_id","block_id":"291dc9c5-3059-805e-a618-c90a35a0acb1"},"created_time":"2025-10-19T16:00:00.000Z","last_edited_time":"2025-10-19T16:15:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"That’s the core:","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"That’s the core:","href":null},{"type":"text","text":{"content":" if an app relies only on cookies for authentication and doesn’t require unpredictable request data (like a CSRF token), attackers can force unwanted state-changing actions from a user’s browser.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" if an app relies only on cookies for authentication and doesn’t require unpredictable request data (like a CSRF token), attackers can force unwanted state-changing actions from a user’s browser.","href":null}],"icon":null,"color":"default"},"archived":false}]},{"object":"block","id":"291dc9c5-3059-806b-8bbf-c6e34ca21dc1","parent":{"type":"page_id","page_id":"291dc9c5-3059-80c2-8b54-e01fdaadacd7"},"created_time":"2025-10-19T16:29:00.000Z","last_edited_time":"2025-10-19T16:30:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":true,"in_trash":false,"type":"toggle","toggle":{"rich_text":[{"type":"text","text":{"content":"How to construct a CSRF attack","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"How to construct a CSRF attack","href":null}],"color":"default"},"archived":false,"children":[{"object":"block","id":"291dc9c5-3059-801a-8463-cedd72eacd07","parent":{"type":"block_id","block_id":"291dc9c5-3059-806b-8bbf-c6e34ca21dc1"},"created_time":"2025-10-19T16:29:00.000Z","last_edited_time":"2025-10-19T16:30:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":true,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Manually creating the HTML for a CSRF exploit can be difficult, especially for requests with many parameters or unusual features. The easiest way to create a CSRF exploit is using the CSRF PoC generator built into Burp Suite Professional:","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Manually creating the HTML for a CSRF exploit can be difficult, especially for requests with many parameters or unusual features. The easiest way to create a CSRF exploit is using the CSRF PoC generator built into Burp Suite Professional:","href":null}],"icon":null,"color":"default"},"archived":false,"children":[{"object":"block","id":"291dc9c5-3059-801d-8b00-e2eb90a6bb83","parent":{"type":"block_id","block_id":"291dc9c5-3059-801a-8463-cedd72eacd07"},"created_time":"2025-10-19T16:29:00.000Z","last_edited_time":"2025-10-19T16:30:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"Select a request in Burp Suite Professional that you want to test or exploit.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Select a request in Burp Suite Professional that you want to test or exploit.","href":null}],"color":"default"},"archived":false},{"object":"block","id":"291dc9c5-3059-8047-9e8c-ee0a746ea2d3","parent":{"type":"block_id","block_id":"291dc9c5-3059-801a-8463-cedd72eacd07"},"created_time":"2025-10-19T16:29:00.000Z","last_edited_time":"2025-10-19T16:30:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"From the right-click menu, select Engagement tools / Generate CSRF PoC.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"From the right-click menu, select Engagement tools / Generate CSRF PoC.","href":null}],"color":"default"},"archived":false},{"object":"block","id":"291dc9c5-3059-808a-b62d-c67e949436f2","parent":{"type":"block_id","block_id":"291dc9c5-3059-801a-8463-cedd72eacd07"},"created_time":"2025-10-19T16:29:00.000Z","last_edited_time":"2025-10-19T16:30:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"Burp Suite will generate HTML that triggers the selected request (cookies will be added automatically by the victim's browser).","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Burp Suite will generate HTML that triggers the selected request (cookies will be added automatically by the victim's browser).","href":null}],"color":"default"},"archived":false},{"object":"block","id":"291dc9c5-3059-80bf-8bef-f97d9d4c5bee","parent":{"type":"block_id","block_id":"291dc9c5-3059-801a-8463-cedd72eacd07"},"created_time":"2025-10-19T16:29:00.000Z","last_edited_time":"2025-10-19T16:30:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"You can adjust options in the CSRF PoC generator to handle unusual request features.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"You can adjust options in the CSRF PoC generator to handle unusual request features.","href":null}],"color":"default"},"archived":false},{"object":"block","id":"291dc9c5-3059-8030-81b2-d3dbc1f4ed51","parent":{"type":"block_id","block_id":"291dc9c5-3059-801a-8463-cedd72eacd07"},"created_time":"2025-10-19T16:29:00.000Z","last_edited_time":"2025-10-19T16:30:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"Copy the generated HTML into a web page, view it in a browser that is logged into the vulnerable website, and test if the request is sent successfully and the desired action occurs.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Copy the generated HTML into a web page, view it in a browser that is logged into the vulnerable website, and test if the request is sent successfully and the desired action occurs.","href":null}],"color":"default"},"archived":false}]}]},{"object":"block","id":"291dc9c5-3059-8049-b140-fa9f5cdf973f","parent":{"type":"page_id","page_id":"291dc9c5-3059-80c2-8b54-e01fdaadacd7"},"created_time":"2025-10-19T16:31:00.000Z","last_edited_time":"2025-12-05T12:34:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":true,"in_trash":false,"type":"toggle","toggle":{"rich_text":[{"type":"text","text":{"content":"How to deliver a CSRF exploit","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"How to deliver a CSRF exploit","href":null}],"color":"default"},"archived":false,"children":[{"object":"block","id":"291dc9c5-3059-80f2-8776-c961beda250a","parent":{"type":"block_id","block_id":"291dc9c5-3059-8049-b140-fa9f5cdf973f"},"created_time":"2025-10-19T16:32:00.000Z","last_edited_time":"2025-10-19T16:32:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"The delivery methods for CSRF attacks are similar to reflected XSS attacks. Typically, the attacker places malicious HTML on a website they control and tricks victims into visiting that site. This can be done by sending the user a link to the website via email or social media. If the attack is placed on a popular website (like in a user comment), the attacker may simply wait for users to visit.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"The delivery methods for CSRF attacks are similar to reflected XSS attacks. Typically, the attacker places malicious HTML on a website they control and tricks victims into visiting that site. This can be done by sending the user a link to the website via email or social media. If the attack is placed on a popular website (like in a user comment), the attacker may simply wait for users to visit.","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"291dc9c5-3059-8017-be03-e33918b549d1","parent":{"type":"block_id","block_id":"291dc9c5-3059-8049-b140-fa9f5cdf973f"},"created_time":"2025-10-19T16:32:00.000Z","last_edited_time":"2025-12-05T12:34:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":true,"in_trash":false,"type":"quote","quote":{"rich_text":[{"type":"text","text":{"content":"Note:","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Note:","href":null}],"color":"default"},"archived":false,"children":[{"object":"block","id":"2c0dc9c5-3059-80a7-bd92-f171020789a1","parent":{"type":"block_id","block_id":"291dc9c5-3059-8017-be03-e33918b549d1"},"created_time":"2025-12-05T12:34:00.000Z","last_edited_time":"2025-12-05T12:34:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"When an action (like changing an email) uses a ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"When an action (like changing an email) uses a ","href":null},{"type":"text","text":{"content":"GET","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"GET","href":null},{"type":"text","text":{"content":" request instead of a POST request, the entire command is contained within the URL itself. This means an attacker doesn't need to create a separate website with a hidden form.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" request instead of a POST request, the entire command is contained within the URL itself. This means an attacker doesn't need to create a separate website with a hidden form.","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"291dc9c5-3059-80bc-94b0-f3d4b65419dd","parent":{"type":"block_id","block_id":"291dc9c5-3059-8017-be03-e33918b549d1"},"created_time":"2025-10-19T16:52:00.000Z","last_edited_time":"2025-12-05T12:34:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"In this case, the attacker plants this image tag on any website where they can post content. This could be a forum comment, a blog post, a user profile, etc. They don't need their own website. For example, if changing an email address uses the GET method, a self-contained attack would look like this:","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"In this case, the attacker plants this image tag on any website where they can post content. This could be a forum comment, a blog post, a user profile, etc. They don't need their own website. For example, if changing an email address uses the GET method, a self-contained attack would look like this:","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"291dc9c5-3059-806b-a33a-db2d05b7f6c5","parent":{"type":"block_id","block_id":"291dc9c5-3059-8017-be03-e33918b549d1"},"created_time":"2025-10-19T16:32:00.000Z","last_edited_time":"2025-12-05T12:34:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"code","code":{"caption":[],"rich_text":[{"type":"text","text":{"content":"

","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"

","href":null}],"language":"html"},"archived":false}]}]},{"object":"block","id":"291dc9c5-3059-8016-ad39-f2e33a6b99c4","parent":{"type":"page_id","page_id":"291dc9c5-3059-80c2-8b54-e01fdaadacd7"},"created_time":"2025-10-19T16:33:00.000Z","last_edited_time":"2025-10-19T16:35:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":true,"in_trash":false,"type":"toggle","toggle":{"rich_text":[{"type":"text","text":{"content":"Common defences against CSRF","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Common defences against CSRF","href":null}],"color":"default"},"archived":false,"children":[{"object":"block","id":"291dc9c5-3059-807d-b29b-dd1c85f82bba","parent":{"type":"block_id","block_id":"291dc9c5-3059-8016-ad39-f2e33a6b99c4"},"created_time":"2025-10-19T16:35:00.000Z","last_edited_time":"2025-10-19T16:35:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Finding and exploiting CSRF today usually means bypassing protections on the site, the browser, or both. The common defences are:","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Finding and exploiting CSRF today usually means bypassing protections on the site, the browser, or both. The common defences are:","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"291dc9c5-3059-80b5-81b9-deaedcefaeab","parent":{"type":"block_id","block_id":"291dc9c5-3059-8016-ad39-f2e33a6b99c4"},"created_time":"2025-10-19T16:35:00.000Z","last_edited_time":"2025-10-19T16:35:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"CSRF tokens","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"CSRF tokens","href":null},{"type":"text","text":{"content":" — The server gives the client a unique, secret token for sensitive actions. The client must include this token in the request, which makes it very hard for an attacker to forge a valid request on the victim’s behalf.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" — The server gives the client a unique, secret token for sensitive actions. The client must include this token in the request, which makes it very hard for an attacker to forge a valid request on the victim’s behalf.","href":null}],"color":"default"},"archived":false},{"object":"block","id":"291dc9c5-3059-80f5-98e5-d1135cac89cc","parent":{"type":"block_id","block_id":"291dc9c5-3059-8016-ad39-f2e33a6b99c4"},"created_time":"2025-10-19T16:35:00.000Z","last_edited_time":"2025-10-19T16:35:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"SameSite cookies","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"SameSite cookies","href":null},{"type":"text","text":{"content":" — The SameSite attribute tells browsers when cookies should be sent with requests from other sites. Proper SameSite settings can stop cross-site requests that rely on the victim’s session cookie. Chrome enforces ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" — The SameSite attribute tells browsers when cookies should be sent with requests from other sites. Proper SameSite settings can stop cross-site requests that rely on the victim’s session cookie. Chrome enforces ","href":null},{"type":"text","text":{"content":"Lax","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"Lax","href":null},{"type":"text","text":{"content":" by default (since 2021), and other browsers are moving toward the same behavior.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" by default (since 2021), and other browsers are moving toward the same behavior.","href":null}],"color":"default"},"archived":false},{"object":"block","id":"291dc9c5-3059-80b2-9778-c5cb81232938","parent":{"type":"block_id","block_id":"291dc9c5-3059-8016-ad39-f2e33a6b99c4"},"created_time":"2025-10-19T16:35:00.000Z","last_edited_time":"2025-10-19T16:35:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"Referer-based validation","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Referer-based validation","href":null},{"type":"text","text":{"content":" — Some apps check the HTTP ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" — Some apps check the HTTP ","href":null},{"type":"text","text":{"content":"Referer","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"Referer","href":null},{"type":"text","text":{"content":" header to ensure the request came from the same origin. This is weaker than CSRF tokens but can still provide some protection.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" header to ensure the request came from the same origin. This is weaker than CSRF tokens but can still provide some protection.","href":null}],"color":"default"},"archived":false}]},{"object":"block","id":"291dc9c5-3059-80af-9bcb-dced86719486","parent":{"type":"page_id","page_id":"291dc9c5-3059-80c2-8b54-e01fdaadacd7"},"created_time":"2025-10-19T17:53:00.000Z","last_edited_time":"2025-10-19T17:53:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"divider","divider":{},"archived":false},{"object":"block","id":"291dc9c5-3059-8004-85eb-cc9ec5185708","parent":{"type":"page_id","page_id":"291dc9c5-3059-80c2-8b54-e01fdaadacd7"},"created_time":"2025-10-19T17:53:00.000Z","last_edited_time":"2025-10-19T17:53:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Bypassing CSRF token validation","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Bypassing CSRF token validation","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"291dc9c5-3059-8009-8ef1-d64b99b18c75","parent":{"type":"page_id","page_id":"291dc9c5-3059-80c2-8b54-e01fdaadacd7"},"created_time":"2025-10-19T17:54:00.000Z","last_edited_time":"2025-10-19T18:07:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":true,"in_trash":false,"type":"toggle","toggle":{"rich_text":[{"type":"text","text":{"content":"What is a CSRF token?","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"What is a CSRF token?","href":null}],"color":"default"},"archived":false,"children":[{"object":"block","id":"291dc9c5-3059-8081-ab35-c76da625e005","parent":{"type":"block_id","block_id":"291dc9c5-3059-8009-8ef1-d64b99b18c75"},"created_time":"2025-10-19T18:07:00.000Z","last_edited_time":"2025-10-19T18:07:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"A ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"A ","href":null},{"type":"text","text":{"content":"CSRF token","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"CSRF token","href":null},{"type":"text","text":{"content":" is a unique, secret, and unpredictable value created by the server and shared with the client. When a user performs a sensitive action — like submitting a form — the client must include this token in the request.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" is a unique, secret, and unpredictable value created by the server and shared with the client. When a user performs a sensitive action — like submitting a form — the client must include this token in the request.","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"291dc9c5-3059-804f-abcb-dd77dd47a4b8","parent":{"type":"block_id","block_id":"291dc9c5-3059-8009-8ef1-d64b99b18c75"},"created_time":"2025-10-19T18:07:00.000Z","last_edited_time":"2025-10-19T18:07:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"If the token is missing or incorrect, the server rejects the action.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"If the token is missing or incorrect, the server rejects the action.","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"291dc9c5-3059-808a-af55-dbcffa1e3b6a","parent":{"type":"block_id","block_id":"291dc9c5-3059-8009-8ef1-d64b99b18c75"},"created_time":"2025-10-19T18:07:00.000Z","last_edited_time":"2025-10-19T18:07:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"A common implementation is adding the token as a ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"A common implementation is adding the token as a ","href":null},{"type":"text","text":{"content":"hidden field","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"hidden field","href":null},{"type":"text","text":{"content":" in forms:","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" in forms:","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"291dc9c5-3059-8033-86a6-cd7fcff44a06","parent":{"type":"block_id","block_id":"291dc9c5-3059-8009-8ef1-d64b99b18c75"},"created_time":"2025-10-19T18:07:00.000Z","last_edited_time":"2025-10-19T18:07:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"code","code":{"caption":[],"rich_text":[{"type":"text","text":{"content":"","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"","href":null}],"language":"html"},"archived":false},{"object":"block","id":"291dc9c5-3059-805a-8da1-cd504d4ea5dc","parent":{"type":"block_id","block_id":"291dc9c5-3059-8009-8ef1-d64b99b18c75"},"created_time":"2025-10-19T18:07:00.000Z","last_edited_time":"2025-10-19T18:07:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Submitting this form results in a request like:","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Submitting this form results in a request like:","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"291dc9c5-3059-8044-9777-e964d24edb11","parent":{"type":"block_id","block_id":"291dc9c5-3059-8009-8ef1-d64b99b18c75"},"created_time":"2025-10-19T18:07:00.000Z","last_edited_time":"2025-10-19T18:08:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"code","code":{"caption":[],"rich_text":[{"type":"text","text":{"content":"POST /my-account/change-email HTTP/1.1\nHost: normal-website.com\nContent-Length: 70\nContent-Type: application/x-www-form-urlencoded\n\ncsrf=50FaWgdOhi9M9wyna8taR1k3ODOR8d6u&email=example@normal-website.com","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"POST /my-account/change-email HTTP/1.1\nHost: normal-website.com\nContent-Length: 70\nContent-Type: application/x-www-form-urlencoded\n\ncsrf=50FaWgdOhi9M9wyna8taR1k3ODOR8d6u&email=example@normal-website.com","href":null}],"language":"plain text"},"archived":false},{"object":"block","id":"291dc9c5-3059-8012-bff1-c96a023560a0","parent":{"type":"block_id","block_id":"291dc9c5-3059-8009-8ef1-d64b99b18c75"},"created_time":"2025-10-19T18:07:00.000Z","last_edited_time":"2025-10-19T18:08:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Purpose:","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Purpose:","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"291dc9c5-3059-80d4-89eb-ee0397167b80","parent":{"type":"block_id","block_id":"291dc9c5-3059-8009-8ef1-d64b99b18c75"},"created_time":"2025-10-19T18:07:00.000Z","last_edited_time":"2025-10-19T18:07:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"CSRF tokens prevent attackers from forging valid requests, since they can’t guess the secret token required by the server.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"CSRF tokens prevent attackers from forging valid requests, since they can’t guess the secret token required by the server.","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"291dc9c5-3059-80ef-88cf-c202371fec9d","parent":{"type":"block_id","block_id":"291dc9c5-3059-8009-8ef1-d64b99b18c75"},"created_time":"2025-10-19T18:07:00.000Z","last_edited_time":"2025-10-19T18:23:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":true,"in_trash":false,"type":"quote","quote":{"rich_text":[{"type":"text","text":{"content":"Note:","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Note:","href":null}],"color":"default"},"archived":false,"children":[{"object":"block","id":"291dc9c5-3059-8080-83de-e4f8eb95bd78","parent":{"type":"block_id","block_id":"291dc9c5-3059-80ef-88cf-c202371fec9d"},"created_time":"2025-10-19T18:07:00.000Z","last_edited_time":"2025-10-19T18:24:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"CSRF tokens aren’t limited to hidden form fields in POST requests — they can also be included in HTTP headers. The method of transmission significantly affects overall security.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"CSRF tokens aren’t limited to hidden form fields in POST requests — they can also be included in HTTP headers. The method of transmission significantly affects overall security.","href":null}],"icon":null,"color":"default"},"archived":false}]}]},{"object":"block","id":"291dc9c5-3059-8000-9d12-ec5c0a67f6c1","parent":{"type":"page_id","page_id":"291dc9c5-3059-80c2-8b54-e01fdaadacd7"},"created_time":"2025-10-19T18:26:00.000Z","last_edited_time":"2025-10-19T18:26:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Common flaws in CSRF token validation","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Common flaws in CSRF token validation","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"291dc9c5-3059-8090-b722-fe4a8d6383b3","parent":{"type":"page_id","page_id":"291dc9c5-3059-80c2-8b54-e01fdaadacd7"},"created_time":"2025-10-19T18:26:00.000Z","last_edited_time":"2025-10-19T18:32:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":true,"in_trash":false,"type":"toggle","toggle":{"rich_text":[{"type":"text","text":{"content":"Validation of CSRF token depends on request method","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Validation of CSRF token depends on request method","href":null}],"color":"default"},"archived":false,"children":[{"object":"block","id":"291dc9c5-3059-80c5-b0af-d436043e8a9c","parent":{"type":"block_id","block_id":"291dc9c5-3059-8090-b722-fe4a8d6383b3"},"created_time":"2025-10-19T18:32:00.000Z","last_edited_time":"2025-10-19T18:32:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Some applications correctly validate the token when the request uses the POST method but skip the validation when the GET method is used.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Some applications correctly validate the token when the request uses the POST method but skip the validation when the GET method is used.","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"291dc9c5-3059-8030-b90a-f2acab0e8316","parent":{"type":"block_id","block_id":"291dc9c5-3059-8090-b722-fe4a8d6383b3"},"created_time":"2025-10-19T18:32:00.000Z","last_edited_time":"2025-10-19T18:32:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"In this situation, the attacker can switch to the GET method to bypass the validation and deliver a CSRF attack:","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"In this situation, the attacker can switch to the GET method to bypass the validation and deliver a CSRF attack:","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"291dc9c5-3059-80be-a7fd-d64b30f254f7","parent":{"type":"block_id","block_id":"291dc9c5-3059-8090-b722-fe4a8d6383b3"},"created_time":"2025-10-19T18:32:00.000Z","last_edited_time":"2025-10-19T18:32:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"code","code":{"caption":[],"rich_text":[{"type":"text","text":{"content":"GET /email/change?email=pwned@evil-user.net HTTP/1.1\nHost: vulnerable-website.com\nCookie: session=2yQIDcpia41WrArfjPqvm9tOkDvkMvLm","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"GET /email/change?email=pwned@evil-user.net HTTP/1.1\nHost: vulnerable-website.com\nCookie: session=2yQIDcpia41WrArfjPqvm9tOkDvkMvLm","href":null}],"language":"plain text"},"archived":false}]},{"object":"block","id":"291dc9c5-3059-804a-927e-cfcad98041d8","parent":{"type":"page_id","page_id":"291dc9c5-3059-80c2-8b54-e01fdaadacd7"},"created_time":"2025-10-19T18:32:00.000Z","last_edited_time":"2025-10-19T18:34:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":true,"in_trash":false,"type":"toggle","toggle":{"rich_text":[{"type":"text","text":{"content":"Validation of CSRF token depends on token being present","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Validation of CSRF token depends on token being present","href":null}],"color":"default"},"archived":false,"children":[{"object":"block","id":"291dc9c5-3059-80bd-9184-f33bb7313f48","parent":{"type":"block_id","block_id":"291dc9c5-3059-804a-927e-cfcad98041d8"},"created_time":"2025-10-19T18:33:00.000Z","last_edited_time":"2025-10-19T18:33:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Some applications correctly validate the token when it is present but skip the validation if the token is omitted.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Some applications correctly validate the token when it is present but skip the validation if the token is omitted.","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"291dc9c5-3059-8020-adcc-d935cbc97764","parent":{"type":"block_id","block_id":"291dc9c5-3059-804a-927e-cfcad98041d8"},"created_time":"2025-10-19T18:33:00.000Z","last_edited_time":"2025-10-19T18:34:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"In this situation, the attacker can remove the entire parameter containing the token to bypass the validation.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"In this situation, the attacker can remove the entire parameter containing the token to bypass the validation.","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"291dc9c5-3059-804f-b90a-fb142f20e684","parent":{"type":"block_id","block_id":"291dc9c5-3059-804a-927e-cfcad98041d8"},"created_time":"2025-10-19T18:33:00.000Z","last_edited_time":"2025-10-19T18:33:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"code","code":{"caption":[],"rich_text":[{"type":"text","text":{"content":"POST /email/change HTTP/1.1\nHost: vulnerable-website.com\nContent-Type: application/x-www-form-urlencoded\nContent-Length: 25\nCookie: session=2yQIDcpia41WrArfjPqvm9tOkDvkMvLm\n\nemail=pwned@evil-user.net","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"POST /email/change HTTP/1.1\nHost: vulnerable-website.com\nContent-Type: application/x-www-form-urlencoded\nContent-Length: 25\nCookie: session=2yQIDcpia41WrArfjPqvm9tOkDvkMvLm\n\nemail=pwned@evil-user.net","href":null}],"language":"plain text"},"archived":false}]},{"object":"block","id":"291dc9c5-3059-80c7-a97c-ff1ac6d59395","parent":{"type":"page_id","page_id":"291dc9c5-3059-80c2-8b54-e01fdaadacd7"},"created_time":"2025-10-19T18:34:00.000Z","last_edited_time":"2025-10-19T18:35:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":true,"in_trash":false,"type":"toggle","toggle":{"rich_text":[{"type":"text","text":{"content":"CSRF token is not tied to the user session","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"CSRF token is not tied to the user session","href":null}],"color":"default"},"archived":false,"children":[{"object":"block","id":"291dc9c5-3059-8043-b4d3-e24eb19ad4bc","parent":{"type":"block_id","block_id":"291dc9c5-3059-80c7-a97c-ff1ac6d59395"},"created_time":"2025-10-19T18:35:00.000Z","last_edited_time":"2025-10-19T18:35:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Some applications do not validate that the token belongs to the same session as the user making the request. Instead, the application maintains a global pool of tokens it has issued and accepts any token that appears in this pool.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Some applications do not validate that the token belongs to the same session as the user making the request. Instead, the application maintains a global pool of tokens it has issued and accepts any token that appears in this pool.","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"291dc9c5-3059-8076-af4b-d623d4dd9e4d","parent":{"type":"block_id","block_id":"291dc9c5-3059-80c7-a97c-ff1ac6d59395"},"created_time":"2025-10-19T18:35:00.000Z","last_edited_time":"2025-10-19T18:35:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"In this situation, the attacker can log in to the application using their own account, obtain a valid token, and then provide that token to the victim user in their CSRF attack.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"In this situation, the attacker can log in to the application using their own account, obtain a valid token, and then provide that token to the victim user in their CSRF attack.","href":null}],"icon":null,"color":"default"},"archived":false}]},{"object":"block","id":"291dc9c5-3059-801d-b796-c517ef256b01","parent":{"type":"page_id","page_id":"291dc9c5-3059-80c2-8b54-e01fdaadacd7"},"created_time":"2025-10-19T18:37:00.000Z","last_edited_time":"2025-10-19T18:38:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":true,"in_trash":false,"type":"toggle","toggle":{"rich_text":[{"type":"text","text":{"content":"CSRF token is tied to a non-session cookie","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"CSRF token is tied to a non-session cookie","href":null}],"color":"default"},"archived":false,"children":[{"object":"block","id":"291dc9c5-3059-8056-8978-e0357ba7a755","parent":{"type":"block_id","block_id":"291dc9c5-3059-801d-b796-c517ef256b01"},"created_time":"2025-10-19T18:38:00.000Z","last_edited_time":"2025-10-19T18:38:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"In a variation of the previous vulnerability, some applications tie the CSRF token to a cookie, but not to the same cookie used for session tracking. This often happens when an application uses two different frameworks - one for session handling and one for CSRF protection - that are not integrated.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"In a variation of the previous vulnerability, some applications tie the CSRF token to a cookie, but not to the same cookie used for session tracking. This often happens when an application uses two different frameworks - one for session handling and one for CSRF protection - that are not integrated.","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"291dc9c5-3059-80ca-a378-e8b8906e12bb","parent":{"type":"block_id","block_id":"291dc9c5-3059-801d-b796-c517ef256b01"},"created_time":"2025-10-19T18:38:00.000Z","last_edited_time":"2025-10-19T18:39:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"code","code":{"caption":[],"rich_text":[{"type":"text","text":{"content":"POST /email/change HTTP/1.1\nHost: vulnerable-website.com\nContent-Type: application/x-www-form-urlencoded\nContent-Length: 68\nCookie: session=pSJYSScWKpmC60LpFOAHKixuFuM4uXWF; csrfKey=rZHCnSzEp8dbI6atzagGoSYyqJqTz5dv\n\ncsrf=RhV7yQDO0xcq9gLEah2WVbmuFqyOq7tY&email=wiener@normal-user.com","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"POST /email/change HTTP/1.1\nHost: vulnerable-website.com\nContent-Type: application/x-www-form-urlencoded\nContent-Length: 68\nCookie: session=pSJYSScWKpmC60LpFOAHKixuFuM4uXWF; csrfKey=rZHCnSzEp8dbI6atzagGoSYyqJqTz5dv\n\ncsrf=RhV7yQDO0xcq9gLEah2WVbmuFqyOq7tY&email=wiener@normal-user.com","href":null}],"language":"plain text"},"archived":false},{"object":"block","id":"291dc9c5-3059-80ef-ab96-f6ba7086e7f0","parent":{"type":"block_id","block_id":"291dc9c5-3059-801d-b796-c517ef256b01"},"created_time":"2025-10-19T18:38:00.000Z","last_edited_time":"2025-10-19T18:38:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"This situation is harder to exploit but is still vulnerable. If the website contains any behavior that allows an attacker to set a cookie in a victim's browser, then an attack is possible. The attacker can log in to the application using their own account, obtain a valid token and associated cookie, use the cookie-setting behavior to place their cookie into the victim's browser, and provide their token to the victim in their CSRF attack.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"This situation is harder to exploit but is still vulnerable. If the website contains any behavior that allows an attacker to set a cookie in a victim's browser, then an attack is possible. The attacker can log in to the application using their own account, obtain a valid token and associated cookie, use the cookie-setting behavior to place their cookie into the victim's browser, and provide their token to the victim in their CSRF attack.","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"291dc9c5-3059-803a-bfee-e091876c0cf8","parent":{"type":"block_id","block_id":"291dc9c5-3059-801d-b796-c517ef256b01"},"created_time":"2025-10-19T18:38:00.000Z","last_edited_time":"2025-10-19T18:38:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":true,"in_trash":false,"type":"quote","quote":{"rich_text":[{"type":"text","text":{"content":"Note","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Note","href":null}],"color":"default"},"archived":false,"children":[{"object":"block","id":"291dc9c5-3059-8029-baee-da38750a84c3","parent":{"type":"block_id","block_id":"291dc9c5-3059-803a-bfee-e091876c0cf8"},"created_time":"2025-10-19T18:38:00.000Z","last_edited_time":"2025-10-19T18:38:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"The cookie-setting behavior does not need to exist within the same web application as the CSRF vulnerability. Any other application within the same overall DNS domain can potentially be used to set cookies in the target application, if the controlled cookie has suitable scope. For example, a cookie-setting function on ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"The cookie-setting behavior does not need to exist within the same web application as the CSRF vulnerability. Any other application within the same overall DNS domain can potentially be used to set cookies in the target application, if the controlled cookie has suitable scope. For example, a cookie-setting function on ","href":null},{"type":"text","text":{"content":"staging.demo.normal-website.com","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"staging.demo.normal-website.com","href":null},{"type":"text","text":{"content":" could be used to place a cookie that is submitted to ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" could be used to place a cookie that is submitted to ","href":null},{"type":"text","text":{"content":"secure.normal-website.com","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"secure.normal-website.com","href":null},{"type":"text","text":{"content":".","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":".","href":null}],"icon":null,"color":"default"},"archived":false}]}]},{"object":"block","id":"291dc9c5-3059-80e0-ab73-f68ab4bf3df5","parent":{"type":"page_id","page_id":"291dc9c5-3059-80c2-8b54-e01fdaadacd7"},"created_time":"2025-10-19T18:43:00.000Z","last_edited_time":"2025-10-19T18:44:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":true,"in_trash":false,"type":"toggle","toggle":{"rich_text":[{"type":"text","text":{"content":"CSRF token is simply duplicated in a cookie","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"CSRF token is simply duplicated in a cookie","href":null}],"color":"default"},"archived":false,"children":[{"object":"block","id":"291dc9c5-3059-80dd-bf17-d18d3ea5c484","parent":{"type":"block_id","block_id":"291dc9c5-3059-80e0-ab73-f68ab4bf3df5"},"created_time":"2025-10-19T18:44:00.000Z","last_edited_time":"2025-10-19T18:44:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"In another variation of this vulnerability, some applications do not keep server-side records of issued tokens. Instead, they duplicate each token in both a cookie and a request parameter. When validating subsequent requests, the application simply checks that the token in the request parameter matches the token in the cookie. This is called the \"double submit\" defense against CSRF, and is popular because it's simple to implement and requires no server-side state:","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"In another variation of this vulnerability, some applications do not keep server-side records of issued tokens. Instead, they duplicate each token in both a cookie and a request parameter. When validating subsequent requests, the application simply checks that the token in the request parameter matches the token in the cookie. This is called the \"double submit\" defense against CSRF, and is popular because it's simple to implement and requires no server-side state:","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"291dc9c5-3059-8006-bc24-cd92ee165da4","parent":{"type":"block_id","block_id":"291dc9c5-3059-80e0-ab73-f68ab4bf3df5"},"created_time":"2025-10-19T18:44:00.000Z","last_edited_time":"2025-10-19T18:44:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"code","code":{"caption":[],"rich_text":[{"type":"text","text":{"content":"POST /email/change HTTP/1.1\nHost: vulnerable-website.com\nContent-Type: application/x-www-form-urlencoded\nContent-Length: 68\nCookie: session=1DQGdzYbOJQzLP7460tfyiv3do7MjyPw; csrf=R8ov2YBfTYmzFyjit8o2hKBuoIjXXVpa\n\ncsrf=R8ov2YBfTYmzFyjit8o2hKBuoIjXXVpa&email=wiener@normal-user.com","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"POST /email/change HTTP/1.1\nHost: vulnerable-website.com\nContent-Type: application/x-www-form-urlencoded\nContent-Length: 68\nCookie: session=1DQGdzYbOJQzLP7460tfyiv3do7MjyPw; csrf=R8ov2YBfTYmzFyjit8o2hKBuoIjXXVpa\n\ncsrf=R8ov2YBfTYmzFyjit8o2hKBuoIjXXVpa&email=wiener@normal-user.com","href":null}],"language":"plain text"},"archived":false},{"object":"block","id":"291dc9c5-3059-80a5-b564-fe1054cb4a0a","parent":{"type":"block_id","block_id":"291dc9c5-3059-80e0-ab73-f68ab4bf3df5"},"created_time":"2025-10-19T18:44:00.000Z","last_edited_time":"2025-10-19T18:44:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"In this situation, the attacker can still perform a CSRF attack if the website has any cookie-setting functionality. The attacker doesn't need to obtain a valid token. They can simply create a token (in the required format, if format is checked), use the cookie-setting behavior to place their cookie into the victim's browser, and provide their token to the victim in their CSRF attack.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"In this situation, the attacker can still perform a CSRF attack if the website has any cookie-setting functionality. The attacker doesn't need to obtain a valid token. They can simply create a token (in the required format, if format is checked), use the cookie-setting behavior to place their cookie into the victim's browser, and provide their token to the victim in their CSRF attack.","href":null}],"icon":null,"color":"default"},"archived":false}]},{"object":"block","id":"293dc9c5-3059-80d8-b46f-f5da6c8858c9","parent":{"type":"page_id","page_id":"291dc9c5-3059-80c2-8b54-e01fdaadacd7"},"created_time":"2025-10-21T12:54:00.000Z","last_edited_time":"2025-10-21T12:55:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"divider","divider":{},"archived":false},{"object":"block","id":"293dc9c5-3059-8002-aad7-ea19945ee4ad","parent":{"type":"page_id","page_id":"291dc9c5-3059-80c2-8b54-e01fdaadacd7"},"created_time":"2025-10-21T12:56:00.000Z","last_edited_time":"2025-10-21T12:57:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":true,"in_trash":false,"type":"toggle","toggle":{"rich_text":[{"type":"text","text":{"content":"Bypassing SameSite cookie restrictions","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Bypassing SameSite cookie restrictions","href":null}],"color":"default"},"archived":false,"children":[{"object":"block","id":"293dc9c5-3059-80b9-9937-de8cfbc2de53","parent":{"type":"block_id","block_id":"293dc9c5-3059-8002-aad7-ea19945ee4ad"},"created_time":"2025-10-21T12:57:00.000Z","last_edited_time":"2025-10-21T12:57:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"SameSite is a browser security feature that controls when a website’s cookies are sent with requests from other sites. It helps prevent attacks like CSRF, cross-site leaks, and some CORS exploits.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"SameSite is a browser security feature that controls when a website’s cookies are sent with requests from other sites. It helps prevent attacks like CSRF, cross-site leaks, and some CORS exploits.","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"293dc9c5-3059-8091-9222-ef082adcea3f","parent":{"type":"block_id","block_id":"293dc9c5-3059-8002-aad7-ea19945ee4ad"},"created_time":"2025-10-21T12:57:00.000Z","last_edited_time":"2025-10-21T12:57:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Since 2021, Chrome automatically applies ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Since 2021, Chrome automatically applies ","href":null},{"type":"text","text":{"content":"Lax","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Lax","href":null},{"type":"text","text":{"content":" SameSite restrictions if a site doesn’t set its own rule. This is becoming a standard, so other browsers are likely to follow. Because of this, it’s important to understand how SameSite restrictions work and how they can sometimes be bypassed to test for cross-site attack possibilities.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" SameSite restrictions if a site doesn’t set its own rule. This is becoming a standard, so other browsers are likely to follow. Because of this, it’s important to understand how SameSite restrictions work and how they can sometimes be bypassed to test for cross-site attack possibilities.","href":null}],"icon":null,"color":"default"},"archived":false}]},{"object":"block","id":"293dc9c5-3059-806c-87f9-d2df3250da4b","parent":{"type":"page_id","page_id":"291dc9c5-3059-80c2-8b54-e01fdaadacd7"},"created_time":"2025-10-21T12:58:00.000Z","last_edited_time":"2025-10-21T13:01:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":true,"in_trash":false,"type":"toggle","toggle":{"rich_text":[{"type":"text","text":{"content":"What is a site?","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"What is a site?","href":null}],"color":"default"},"archived":false,"children":[{"object":"block","id":"293dc9c5-3059-8010-a56b-e506e66ace2b","parent":{"type":"block_id","block_id":"293dc9c5-3059-806c-87f9-d2df3250da4b"},"created_time":"2025-10-21T12:58:00.000Z","last_edited_time":"2025-10-21T12:58:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"For SameSite restrictions, a “site” is defined by the top-level domain (like ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"For SameSite restrictions, a “site” is defined by the top-level domain (like ","href":null},{"type":"text","text":{"content":".com","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":".com","href":null},{"type":"text","text":{"content":" or ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" or ","href":null},{"type":"text","text":{"content":".net","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":".net","href":null},{"type":"text","text":{"content":") plus one level of the domain name (called ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":") plus one level of the domain name (called ","href":null},{"type":"text","text":{"content":"TLD+1","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"TLD+1","href":null},{"type":"text","text":{"content":").","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":").","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"293dc9c5-3059-8085-ad1a-ed0d97cd269c","parent":{"type":"block_id","block_id":"293dc9c5-3059-806c-87f9-d2df3250da4b"},"created_time":"2025-10-21T12:58:00.000Z","last_edited_time":"2025-10-21T12:58:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"When deciding if a request is from the same site, the browser also considers the URL scheme (HTTP vs HTTPS). For example, a link from","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"When deciding if a request is from the same site, the browser also considers the URL scheme (HTTP vs HTTPS). For example, a link from","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"293dc9c5-3059-8095-a9e0-e2877e1ffb14","parent":{"type":"block_id","block_id":"293dc9c5-3059-806c-87f9-d2df3250da4b"},"created_time":"2025-10-21T12:58:00.000Z","last_edited_time":"2025-10-21T12:58:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"http://app.example.com","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"http://app.example.com","href":null},{"type":"text","text":{"content":" to ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" to ","href":null},{"type":"text","text":{"content":"https://app.example.com","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"https://app.example.com","href":null},{"type":"text","text":{"content":" is treated as ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" is treated as ","href":null},{"type":"text","text":{"content":"cross-site","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"cross-site","href":null},{"type":"text","text":{"content":" by most browsers.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" by most browsers.","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"293dc9c5-3059-8050-8468-c0c54bdcf7cd","parent":{"type":"block_id","block_id":"293dc9c5-3059-806c-87f9-d2df3250da4b"},"created_time":"2025-10-21T12:58:00.000Z","last_edited_time":"2025-10-21T12:58:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"image","image":{"caption":[],"type":"file","file":{"url":"$1e","expiry_time":"2026-05-30T03:37:13.972Z"}},"archived":false},{"object":"block","id":"293dc9c5-3059-80df-b5f6-e61c73604833","parent":{"type":"block_id","block_id":"293dc9c5-3059-806c-87f9-d2df3250da4b"},"created_time":"2025-10-21T12:58:00.000Z","last_edited_time":"2025-10-21T12:59:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":true,"in_trash":false,"type":"quote","quote":{"rich_text":[{"type":"text","text":{"content":"Note","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Note","href":null}],"color":"default"},"archived":false,"children":[{"object":"block","id":"293dc9c5-3059-80fb-a993-d3dee9bbc65c","parent":{"type":"block_id","block_id":"293dc9c5-3059-80df-b5f6-e61c73604833"},"created_time":"2025-10-21T12:58:00.000Z","last_edited_time":"2025-10-21T12:59:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"You may come across the term \"effective top-level domain\" (eTLD). This is just a way of accounting for the reserved multipart suffixes that are treated as top-level domains in practice, such as ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"You may come across the term \"effective top-level domain\" (eTLD). This is just a way of accounting for the reserved multipart suffixes that are treated as top-level domains in practice, such as ","href":null},{"type":"text","text":{"content":".co.uk","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":".co.uk","href":null},{"type":"text","text":{"content":".","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":".","href":null}],"icon":null,"color":"default"},"archived":false}]}]},{"object":"block","id":"293dc9c5-3059-808a-9ceb-fdcc6d941dd6","parent":{"type":"page_id","page_id":"291dc9c5-3059-80c2-8b54-e01fdaadacd7"},"created_time":"2025-10-21T13:01:00.000Z","last_edited_time":"2025-10-21T13:28:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":true,"in_trash":false,"type":"toggle","toggle":{"rich_text":[{"type":"text","text":{"content":"Site VS Origin","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Site VS Origin","href":null}],"color":"default"},"archived":false,"children":[{"object":"block","id":"293dc9c5-3059-8025-875f-dbea97b1c8e5","parent":{"type":"block_id","block_id":"293dc9c5-3059-808a-9ceb-fdcc6d941dd6"},"created_time":"2025-10-21T13:26:00.000Z","last_edited_time":"2025-10-21T13:26:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"The difference between a ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"The difference between a ","href":null},{"type":"text","text":{"content":"site","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"site","href":null},{"type":"text","text":{"content":" and an ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" and an ","href":null},{"type":"text","text":{"content":"origin","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"origin","href":null},{"type":"text","text":{"content":" is how specific they are:","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" is how specific they are:","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"293dc9c5-3059-8092-aeaa-f0a319571c3a","parent":{"type":"block_id","block_id":"293dc9c5-3059-808a-9ceb-fdcc6d941dd6"},"created_time":"2025-10-21T13:26:00.000Z","last_edited_time":"2025-10-21T13:26:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"A ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"A ","href":null},{"type":"text","text":{"content":"site","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"site","href":null},{"type":"text","text":{"content":" covers multiple domains under the same base domain (like ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" covers multiple domains under the same base domain (like ","href":null},{"type":"text","text":{"content":"example.com","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"example.com","href":null},{"type":"text","text":{"content":").","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":").","href":null}],"color":"default"},"archived":false},{"object":"block","id":"293dc9c5-3059-8022-96a1-d8e48672d3c4","parent":{"type":"block_id","block_id":"293dc9c5-3059-808a-9ceb-fdcc6d941dd6"},"created_time":"2025-10-21T13:26:00.000Z","last_edited_time":"2025-10-21T13:26:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"An ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"An ","href":null},{"type":"text","text":{"content":"origin","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"origin","href":null},{"type":"text","text":{"content":" is more specific — it includes the ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" is more specific — it includes the ","href":null},{"type":"text","text":{"content":"scheme","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"scheme","href":null},{"type":"text","text":{"content":" (HTTP/HTTPS), ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" (HTTP/HTTPS), ","href":null},{"type":"text","text":{"content":"domain","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"domain","href":null},{"type":"text","text":{"content":", and ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":", and ","href":null},{"type":"text","text":{"content":"port","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"port","href":null},{"type":"text","text":{"content":".","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":".","href":null}],"color":"default"},"archived":false},{"object":"block","id":"293dc9c5-3059-804a-812e-fdfc8d23d8c5","parent":{"type":"block_id","block_id":"293dc9c5-3059-808a-9ceb-fdcc6d941dd6"},"created_time":"2025-10-21T13:26:00.000Z","last_edited_time":"2025-10-21T13:26:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Two URLs have the same ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Two URLs have the same ","href":null},{"type":"text","text":{"content":"origin","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"origin","href":null},{"type":"text","text":{"content":" only if all three — scheme, domain, and port — match exactly.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" only if all three — scheme, domain, and port — match exactly.","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"293dc9c5-3059-80ad-833c-ff8dd81704b7","parent":{"type":"block_id","block_id":"293dc9c5-3059-808a-9ceb-fdcc6d941dd6"},"created_time":"2025-10-21T13:26:00.000Z","last_edited_time":"2025-10-21T13:26:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"For example:","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"For example:","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"293dc9c5-3059-80bf-b34e-ed1e37c094f0","parent":{"type":"block_id","block_id":"293dc9c5-3059-808a-9ceb-fdcc6d941dd6"},"created_time":"2025-10-21T13:26:00.000Z","last_edited_time":"2025-10-21T13:28:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"Origin","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Origin","href":null},{"type":"text","text":{"content":" → includes ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" → includes ","href":null},{"type":"text","text":{"content":"https","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"https","href":null},{"type":"text","text":{"content":", ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":", ","href":null},{"type":"text","text":{"content":"app.example.com","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"app.example.com","href":null},{"type":"text","text":{"content":", and ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":", and ","href":null},{"type":"text","text":{"content":":443","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":":443","href":null}],"color":"default"},"archived":false},{"object":"block","id":"293dc9c5-3059-808b-b1c6-c24c5e80a8ca","parent":{"type":"block_id","block_id":"293dc9c5-3059-808a-9ceb-fdcc6d941dd6"},"created_time":"2025-10-21T13:26:00.000Z","last_edited_time":"2025-10-21T13:28:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"Site","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Site","href":null},{"type":"text","text":{"content":" → only includes ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" → only includes ","href":null},{"type":"text","text":{"content":"https","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"https","href":null},{"type":"text","text":{"content":" and ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" and ","href":null},{"type":"text","text":{"content":"example.com","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"example.com","href":null}],"color":"default"},"archived":false},{"object":"block","id":"293dc9c5-3059-8093-a177-d8423c609e0c","parent":{"type":"block_id","block_id":"293dc9c5-3059-808a-9ceb-fdcc6d941dd6"},"created_time":"2025-10-21T13:28:00.000Z","last_edited_time":"2025-10-21T13:28:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"image","image":{"caption":[],"type":"file","file":{"url":"$1f","expiry_time":"2026-05-30T03:37:14.030Z"}},"archived":false},{"object":"block","id":"293dc9c5-3059-8098-9003-e8f875ec4016","parent":{"type":"block_id","block_id":"293dc9c5-3059-808a-9ceb-fdcc6d941dd6"},"created_time":"2025-10-21T13:26:00.000Z","last_edited_time":"2025-10-21T16:03:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Because “site” is much less specific, a request can be ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Because “site” is much less specific, a request can be ","href":null},{"type":"text","text":{"content":"cross-origin","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"cross-origin","href":null},{"type":"text","text":{"content":" but still ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" but still ","href":null},{"type":"text","text":{"content":"same-site","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"same-site","href":null},{"type":"text","text":{"content":".","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":".","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"293dc9c5-3059-804e-90b4-d6975629c5b4","parent":{"type":"block_id","block_id":"293dc9c5-3059-808a-9ceb-fdcc6d941dd6"},"created_time":"2025-10-21T13:26:00.000Z","last_edited_time":"2025-10-21T13:26:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Here’s how it works:","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Here’s how it works:","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"293dc9c5-3059-8065-9aeb-f51e61dd5ab4","parent":{"type":"block_id","block_id":"293dc9c5-3059-808a-9ceb-fdcc6d941dd6"},"created_time":"2025-10-21T13:26:00.000Z","last_edited_time":"2025-10-21T13:26:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":true,"in_trash":false,"type":"table","table":{"table_width":4,"has_column_header":true,"has_row_header":false},"archived":false,"children":[{"object":"block","id":"293dc9c5-3059-8022-af6f-f9714586f1d1","parent":{"type":"block_id","block_id":"293dc9c5-3059-8065-9aeb-f51e61dd5ab4"},"created_time":"2025-10-21T13:26:00.000Z","last_edited_time":"2025-10-21T13:26:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"table_row","table_row":{"cells":[[{"type":"text","text":{"content":"Request From","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Request From","href":null}],[{"type":"text","text":{"content":"Request To","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Request To","href":null}],[{"type":"text","text":{"content":"Same-site?","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Same-site?","href":null}],[{"type":"text","text":{"content":"Same-origin?","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Same-origin?","href":null}]]},"archived":false},{"object":"block","id":"293dc9c5-3059-80a7-a3a6-fdaf6dcd1866","parent":{"type":"block_id","block_id":"293dc9c5-3059-8065-9aeb-f51e61dd5ab4"},"created_time":"2025-10-21T13:26:00.000Z","last_edited_time":"2025-10-21T13:26:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"table_row","table_row":{"cells":[[{"type":"text","text":{"content":"https://example.com","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"https://example.com","href":null}],[{"type":"text","text":{"content":"https://example.com","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"https://example.com","href":null}],[{"type":"text","text":{"content":"✅ Yes","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"✅ Yes","href":null}],[{"type":"text","text":{"content":"✅ Yes","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"✅ Yes","href":null}]]},"archived":false},{"object":"block","id":"293dc9c5-3059-80ae-8077-f220d3d2be25","parent":{"type":"block_id","block_id":"293dc9c5-3059-8065-9aeb-f51e61dd5ab4"},"created_time":"2025-10-21T13:26:00.000Z","last_edited_time":"2025-10-21T13:26:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"table_row","table_row":{"cells":[[{"type":"text","text":{"content":"https://app.example.com","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"https://app.example.com","href":null}],[{"type":"text","text":{"content":"https://intranet.example.com","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"https://intranet.example.com","href":null}],[{"type":"text","text":{"content":"✅ Yes","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"✅ Yes","href":null}],[{"type":"text","text":{"content":"❌ No (different domain)","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"❌ No (different domain)","href":null}]]},"archived":false},{"object":"block","id":"293dc9c5-3059-804c-847e-f07ae759e0e8","parent":{"type":"block_id","block_id":"293dc9c5-3059-8065-9aeb-f51e61dd5ab4"},"created_time":"2025-10-21T13:26:00.000Z","last_edited_time":"2025-10-21T13:26:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"table_row","table_row":{"cells":[[{"type":"text","text":{"content":"https://example.com","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"https://example.com","href":null}],[{"type":"text","text":{"content":"https://example.com:8080","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"https://example.com:8080","href":null}],[{"type":"text","text":{"content":"✅ Yes","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"✅ Yes","href":null}],[{"type":"text","text":{"content":"❌ No (different port)","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"❌ No (different port)","href":null}]]},"archived":false},{"object":"block","id":"293dc9c5-3059-805d-a4ba-d36a608cf2ab","parent":{"type":"block_id","block_id":"293dc9c5-3059-8065-9aeb-f51e61dd5ab4"},"created_time":"2025-10-21T13:26:00.000Z","last_edited_time":"2025-10-21T13:26:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"table_row","table_row":{"cells":[[{"type":"text","text":{"content":"https://example.com","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"https://example.com","href":null}],[{"type":"text","text":{"content":"https://example.co.uk","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"https://example.co.uk","href":null}],[{"type":"text","text":{"content":"❌ No (different TLD)","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"❌ No (different TLD)","href":null}],[{"type":"text","text":{"content":"❌ No","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"❌ No","href":null}]]},"archived":false},{"object":"block","id":"293dc9c5-3059-8066-800e-e2b1d832f1ce","parent":{"type":"block_id","block_id":"293dc9c5-3059-8065-9aeb-f51e61dd5ab4"},"created_time":"2025-10-21T13:26:00.000Z","last_edited_time":"2025-10-21T13:26:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"table_row","table_row":{"cells":[[{"type":"text","text":{"content":"https://example.com","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"https://example.com","href":null}],[{"type":"text","text":{"content":"http://example.com","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"http://example.com","href":null}],[{"type":"text","text":{"content":"❌ No (different scheme)","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"❌ No (different scheme)","href":null}],[{"type":"text","text":{"content":"❌ No","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"❌ No","href":null}]]},"archived":false}]},{"object":"block","id":"293dc9c5-3059-8052-a989-fb6921040b4b","parent":{"type":"block_id","block_id":"293dc9c5-3059-808a-9ceb-fdcc6d941dd6"},"created_time":"2025-10-21T13:26:00.000Z","last_edited_time":"2025-10-21T13:26:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Key point:","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Key point:","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"293dc9c5-3059-8000-b3eb-cf65798dcde2","parent":{"type":"block_id","block_id":"293dc9c5-3059-808a-9ceb-fdcc6d941dd6"},"created_time":"2025-10-21T13:26:00.000Z","last_edited_time":"2025-10-21T13:26:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Even if requests are “same-site,” they might still be ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Even if requests are “same-site,” they might still be ","href":null},{"type":"text","text":{"content":"cross-origin","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"cross-origin","href":null},{"type":"text","text":{"content":", which can be exploited if a vulnerability allows malicious JavaScript to run on one domain and affect others under the same site.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":", which can be exploited if a vulnerability allows malicious JavaScript to run on one domain and affect others under the same site.","href":null}],"icon":null,"color":"default"},"archived":false}]},{"object":"block","id":"293dc9c5-3059-8021-aff6-f9ab3bed26ae","parent":{"type":"page_id","page_id":"291dc9c5-3059-80c2-8b54-e01fdaadacd7"},"created_time":"2025-10-21T13:29:00.000Z","last_edited_time":"2025-10-21T13:30:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":true,"in_trash":false,"type":"toggle","toggle":{"rich_text":[{"type":"text","text":{"content":"How does SameSite work?","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"How does SameSite work?","href":null}],"color":"default"},"archived":false,"children":[{"object":"block","id":"293dc9c5-3059-80b8-a44f-e6efccc92118","parent":{"type":"block_id","block_id":"293dc9c5-3059-8021-aff6-f9ab3bed26ae"},"created_time":"2025-10-21T13:30:00.000Z","last_edited_time":"2025-10-21T13:52:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Before ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Before ","href":null},{"type":"text","text":{"content":"SameSite","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"SameSite","href":null},{"type":"text","text":{"content":" existed, browsers sent cookies with every request — even from other websites.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" existed, browsers sent cookies with every request — even from other websites.","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"293dc9c5-3059-8056-8d7d-d10da2184ba0","parent":{"type":"block_id","block_id":"293dc9c5-3059-8021-aff6-f9ab3bed26ae"},"created_time":"2025-10-21T13:30:00.000Z","last_edited_time":"2025-10-21T13:30:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"This made CSRF attacks easier, because an attacker could trigger a request that included the victim’s session cookie.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"This made CSRF attacks easier, because an attacker could trigger a request that included the victim’s session cookie.","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"293dc9c5-3059-8091-9f44-e94e14dbc7c3","parent":{"type":"block_id","block_id":"293dc9c5-3059-8021-aff6-f9ab3bed26ae"},"created_time":"2025-10-21T13:30:00.000Z","last_edited_time":"2025-10-21T13:30:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"SameSite","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"SameSite","href":null},{"type":"text","text":{"content":" fixes this by letting browsers control ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" fixes this by letting browsers control ","href":null},{"type":"text","text":{"content":"when","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"when","href":null},{"type":"text","text":{"content":" cookies are sent in cross-site requests.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" cookies are sent in cross-site requests.","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"293dc9c5-3059-801c-9a5f-d21d521e88d4","parent":{"type":"block_id","block_id":"293dc9c5-3059-8021-aff6-f9ab3bed26ae"},"created_time":"2025-10-21T13:30:00.000Z","last_edited_time":"2025-10-21T13:30:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"If the browser doesn’t include the cookie, the CSRF attack usually fails.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"If the browser doesn’t include the cookie, the CSRF attack usually fails.","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"293dc9c5-3059-802c-8593-f39a5d64d5d1","parent":{"type":"block_id","block_id":"293dc9c5-3059-8021-aff6-f9ab3bed26ae"},"created_time":"2025-10-21T13:30:00.000Z","last_edited_time":"2025-10-21T13:30:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"There are ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"There are ","href":null},{"type":"text","text":{"content":"three SameSite modes","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"three SameSite modes","href":null},{"type":"text","text":{"content":":","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":":","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"293dc9c5-3059-8001-8b85-fc20998e44d2","parent":{"type":"block_id","block_id":"293dc9c5-3059-8021-aff6-f9ab3bed26ae"},"created_time":"2025-10-21T13:30:00.000Z","last_edited_time":"2025-10-21T13:54:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"Strict","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Strict","href":null},{"type":"text","text":{"content":" → Cookies are only sent for requests from the same site.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" → Cookies are only sent for requests from the same site.","href":null}],"color":"default"},"archived":false},{"object":"block","id":"293dc9c5-3059-8077-abc0-d13dc37345b5","parent":{"type":"block_id","block_id":"293dc9c5-3059-8021-aff6-f9ab3bed26ae"},"created_time":"2025-10-21T13:30:00.000Z","last_edited_time":"2025-10-21T13:30:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"Lax","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Lax","href":null},{"type":"text","text":{"content":" → Cookies are sent for top-level navigation (like clicking a link), but not for background requests (like a hidden form submission).","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" → Cookies are sent for top-level navigation (like clicking a link), but not for background requests (like a hidden form submission).","href":null}],"color":"default"},"archived":false},{"object":"block","id":"293dc9c5-3059-80b0-9962-c17cd1fca243","parent":{"type":"block_id","block_id":"293dc9c5-3059-8021-aff6-f9ab3bed26ae"},"created_time":"2025-10-21T13:30:00.000Z","last_edited_time":"2025-10-21T13:53:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"None","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"None","href":null},{"type":"text","text":{"content":" → Cookies are always sent, even in cross-site requests.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" → Cookies are always sent, even in cross-site requests.","href":null}],"color":"default"},"archived":false},{"object":"block","id":"293dc9c5-3059-808d-a9bd-c20d3fbf9ce2","parent":{"type":"block_id","block_id":"293dc9c5-3059-8021-aff6-f9ab3bed26ae"},"created_time":"2025-10-21T13:30:00.000Z","last_edited_time":"2025-10-21T13:30:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"How developers use it:","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"How developers use it:","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"293dc9c5-3059-8077-92a8-ccfbe58049ff","parent":{"type":"block_id","block_id":"293dc9c5-3059-8021-aff6-f9ab3bed26ae"},"created_time":"2025-10-21T13:30:00.000Z","last_edited_time":"2025-10-21T13:30:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"They can set the SameSite rule in the cookie header, for example:","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"They can set the SameSite rule in the cookie header, for example:","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"293dc9c5-3059-80a0-9839-fa024d0655bb","parent":{"type":"block_id","block_id":"293dc9c5-3059-8021-aff6-f9ab3bed26ae"},"created_time":"2025-10-21T13:30:00.000Z","last_edited_time":"2025-10-21T13:30:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"code","code":{"caption":[],"rich_text":[{"type":"text","text":{"content":"Set-Cookie: session=0F8tgdOhi9ynR1M9wa3ODa; SameSite=Strict","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Set-Cookie: session=0F8tgdOhi9ynR1M9wa3ODa; SameSite=Strict","href":null}],"language":"plain text"},"archived":false},{"object":"block","id":"293dc9c5-3059-8097-b32d-da023fa37d61","parent":{"type":"block_id","block_id":"293dc9c5-3059-8021-aff6-f9ab3bed26ae"},"created_time":"2025-10-21T13:30:00.000Z","last_edited_time":"2025-10-21T13:30:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":true,"in_trash":false,"type":"quote","quote":{"rich_text":[{"type":"text","text":{"content":"Note:","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Note:","href":null}],"color":"default"},"archived":false,"children":[{"object":"block","id":"293dc9c5-3059-804b-a379-d10d43dc6edd","parent":{"type":"block_id","block_id":"293dc9c5-3059-8097-b32d-da023fa37d61"},"created_time":"2025-10-21T13:30:00.000Z","last_edited_time":"2025-10-21T13:30:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"If a site doesn’t specify a SameSite rule, ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"If a site doesn’t specify a SameSite rule, ","href":null},{"type":"text","text":{"content":"Chrome automatically uses ","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Chrome automatically uses ","href":null},{"type":"text","text":{"content":"Lax","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"Lax","href":null},{"type":"text","text":{"content":" by default.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" by default.","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"293dc9c5-3059-8003-a4ea-f151fc6c87d7","parent":{"type":"block_id","block_id":"293dc9c5-3059-8097-b32d-da023fa37d61"},"created_time":"2025-10-21T13:30:00.000Z","last_edited_time":"2025-10-21T13:30:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"That means cookies are only sent in safe situations unless developers explicitly change it.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"That means cookies are only sent in safe situations unless developers explicitly change it.","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"293dc9c5-3059-80d1-a0da-c99368f7d66f","parent":{"type":"block_id","block_id":"293dc9c5-3059-8097-b32d-da023fa37d61"},"created_time":"2025-10-21T13:30:00.000Z","last_edited_time":"2025-10-21T13:30:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Other browsers are expected to follow the same rule.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Other browsers are expected to follow the same rule.","href":null}],"icon":null,"color":"default"},"archived":false}]}]},{"object":"block","id":"293dc9c5-3059-8023-b8e5-f0ba3619c68d","parent":{"type":"page_id","page_id":"291dc9c5-3059-80c2-8b54-e01fdaadacd7"},"created_time":"2025-10-21T14:02:00.000Z","last_edited_time":"2025-10-21T14:03:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":true,"in_trash":false,"type":"toggle","toggle":{"rich_text":[{"type":"text","text":{"content":"Strict","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Strict","href":null}],"color":"default"},"archived":false,"children":[{"object":"block","id":"293dc9c5-3059-80c0-a7cd-c49272318cee","parent":{"type":"block_id","block_id":"293dc9c5-3059-8023-b8e5-f0ba3619c68d"},"created_time":"2025-10-21T14:03:00.000Z","last_edited_time":"2025-10-21T14:03:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"SameSite=Strict","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"SameSite=Strict","href":null},{"type":"text","text":{"content":" means the browser ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" means the browser ","href":null},{"type":"text","text":{"content":"never sends the cookie","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"never sends the cookie","href":null},{"type":"text","text":{"content":" in ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" in ","href":null},{"type":"text","text":{"content":"cross-site requests","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"cross-site requests","href":null},{"type":"text","text":{"content":".","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":".","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"293dc9c5-3059-801e-89b1-fd1e7329d789","parent":{"type":"block_id","block_id":"293dc9c5-3059-8023-b8e5-f0ba3619c68d"},"created_time":"2025-10-21T14:03:00.000Z","last_edited_time":"2025-10-21T15:48:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"In other words, if the website making the request is not the same one currently open in the user’s address bar, the cookie will be left out.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"In other words, if the website making the request is not the same one currently open in the user’s address bar, the cookie will be left out.","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"293dc9c5-3059-80ee-8f77-e2cc6eb02f3e","parent":{"type":"block_id","block_id":"293dc9c5-3059-8023-b8e5-f0ba3619c68d"},"created_time":"2025-10-21T14:03:00.000Z","last_edited_time":"2025-10-21T14:03:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"It’s the ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"It’s the ","href":null},{"type":"text","text":{"content":"most secure","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"most secure","href":null},{"type":"text","text":{"content":" setting — ideal for cookies used in ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" setting — ideal for cookies used in ","href":null},{"type":"text","text":{"content":"sensitive actions","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"sensitive actions","href":null},{"type":"text","text":{"content":" like login sessions or account changes.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" like login sessions or account changes.","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"293dc9c5-3059-801e-aa94-c59936c3ed1a","parent":{"type":"block_id","block_id":"293dc9c5-3059-8023-b8e5-f0ba3619c68d"},"created_time":"2025-10-21T14:03:00.000Z","last_edited_time":"2025-10-21T14:03:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"However, it can sometimes ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"However, it can sometimes ","href":null},{"type":"text","text":{"content":"break user experience","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"break user experience","href":null},{"type":"text","text":{"content":" if the website needs to work across multiple domains (for example, when logging in from another site).","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" if the website needs to work across multiple domains (for example, when logging in from another site).","href":null}],"icon":null,"color":"default"},"archived":false}]},{"object":"block","id":"293dc9c5-3059-802b-8d88-d182be0a64f9","parent":{"type":"page_id","page_id":"291dc9c5-3059-80c2-8b54-e01fdaadacd7"},"created_time":"2025-10-21T14:03:00.000Z","last_edited_time":"2025-10-21T14:04:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":true,"in_trash":false,"type":"toggle","toggle":{"rich_text":[{"type":"text","text":{"content":"Lax","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Lax","href":null}],"color":"default"},"archived":false,"children":[{"object":"block","id":"293dc9c5-3059-805e-802b-f863198c2d64","parent":{"type":"block_id","block_id":"293dc9c5-3059-802b-8d88-d182be0a64f9"},"created_time":"2025-10-21T14:04:00.000Z","last_edited_time":"2025-10-21T14:04:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"SameSite=Lax","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"SameSite=Lax","href":null},{"type":"text","text":{"content":" allows cookies to be sent in ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" allows cookies to be sent in ","href":null},{"type":"text","text":{"content":"some cross-site requests","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"some cross-site requests","href":null},{"type":"text","text":{"content":", but only if:","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":", but only if:","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"293dc9c5-3059-8083-b850-f9d2168471b9","parent":{"type":"block_id","block_id":"293dc9c5-3059-802b-8d88-d182be0a64f9"},"created_time":"2025-10-21T14:04:00.000Z","last_edited_time":"2025-10-21T14:04:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"The request is a ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"The request is a ","href":null},{"type":"text","text":{"content":"GET","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"GET","href":null},{"type":"text","text":{"content":" request.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" request.","href":null}],"color":"default"},"archived":false},{"object":"block","id":"293dc9c5-3059-80ea-91df-df426ec40911","parent":{"type":"block_id","block_id":"293dc9c5-3059-802b-8d88-d182be0a64f9"},"created_time":"2025-10-21T14:04:00.000Z","last_edited_time":"2025-10-21T14:04:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"The user ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"The user ","href":null},{"type":"text","text":{"content":"navigates directly","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"navigates directly","href":null},{"type":"text","text":{"content":" (for example, by clicking a link).","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" (for example, by clicking a link).","href":null}],"color":"default"},"archived":false},{"object":"block","id":"293dc9c5-3059-809b-ad05-fbd8c456075d","parent":{"type":"block_id","block_id":"293dc9c5-3059-802b-8d88-d182be0a64f9"},"created_time":"2025-10-21T14:04:00.000Z","last_edited_time":"2025-10-21T14:04:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Cookies are ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Cookies are ","href":null},{"type":"text","text":{"content":"not sent","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"not sent","href":null},{"type":"text","text":{"content":" in:","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" in:","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"293dc9c5-3059-8012-b8b7-c37494eeef73","parent":{"type":"block_id","block_id":"293dc9c5-3059-802b-8d88-d182be0a64f9"},"created_time":"2025-10-21T14:04:00.000Z","last_edited_time":"2025-10-21T14:04:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"POST requests","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"POST requests","href":null},{"type":"text","text":{"content":" (which can change data and are riskier).","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" (which can change data and are riskier).","href":null}],"color":"default"},"archived":false},{"object":"block","id":"293dc9c5-3059-808d-b1b5-d4d104b23f4b","parent":{"type":"block_id","block_id":"293dc9c5-3059-802b-8d88-d182be0a64f9"},"created_time":"2025-10-21T14:04:00.000Z","last_edited_time":"2025-10-21T14:04:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"Background requests","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Background requests","href":null},{"type":"text","text":{"content":" made by scripts, iframes, or images.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" made by scripts, iframes, or images.","href":null}],"color":"default"},"archived":false},{"object":"block","id":"293dc9c5-3059-8004-b81e-e97d1b6562b5","parent":{"type":"block_id","block_id":"293dc9c5-3059-802b-8d88-d182be0a64f9"},"created_time":"2025-10-21T14:04:00.000Z","last_edited_time":"2025-10-21T14:04:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"This provides a ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"This provides a ","href":null},{"type":"text","text":{"content":"balance between security and usability","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"balance between security and usability","href":null},{"type":"text","text":{"content":" — it blocks most CSRF attacks while still allowing normal user navigation.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" — it blocks most CSRF attacks while still allowing normal user navigation.","href":null}],"icon":null,"color":"default"},"archived":false}]},{"object":"block","id":"293dc9c5-3059-80eb-b7b7-d27183735b48","parent":{"type":"page_id","page_id":"291dc9c5-3059-80c2-8b54-e01fdaadacd7"},"created_time":"2025-10-21T14:05:00.000Z","last_edited_time":"2025-10-21T15:57:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":true,"in_trash":false,"type":"toggle","toggle":{"rich_text":[{"type":"text","text":{"content":"None","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"None","href":null}],"color":"default"},"archived":false,"children":[{"object":"block","id":"293dc9c5-3059-8032-9b48-e062ec44f818","parent":{"type":"block_id","block_id":"293dc9c5-3059-80eb-b7b7-d27183735b48"},"created_time":"2025-10-21T14:06:00.000Z","last_edited_time":"2025-10-21T14:06:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"SameSite=None","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"SameSite=None","href":null},{"type":"text","text":{"content":" means the cookie is sent in ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" means the cookie is sent in ","href":null},{"type":"text","text":{"content":"all requests","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"all requests","href":null},{"type":"text","text":{"content":", including those from ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":", including those from ","href":null},{"type":"text","text":{"content":"other websites","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"other websites","href":null},{"type":"text","text":{"content":".","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":".","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"293dc9c5-3059-8042-abdb-e8bd7151dca6","parent":{"type":"block_id","block_id":"293dc9c5-3059-80eb-b7b7-d27183735b48"},"created_time":"2025-10-21T14:06:00.000Z","last_edited_time":"2025-10-21T14:06:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"This completely ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"This completely ","href":null},{"type":"text","text":{"content":"disables SameSite protection","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"disables SameSite protection","href":null},{"type":"text","text":{"content":", so it’s less secure.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":", so it’s less secure.","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"293dc9c5-3059-8027-9f88-ff1ac083aeda","parent":{"type":"block_id","block_id":"293dc9c5-3059-80eb-b7b7-d27183735b48"},"created_time":"2025-10-21T14:06:00.000Z","last_edited_time":"2025-10-21T14:06:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"When to use:","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"When to use:","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"293dc9c5-3059-8011-938e-ce9a0bd831ee","parent":{"type":"block_id","block_id":"293dc9c5-3059-80eb-b7b7-d27183735b48"},"created_time":"2025-10-21T14:06:00.000Z","last_edited_time":"2025-10-21T14:06:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"For cookies used by ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"For cookies used by ","href":null},{"type":"text","text":{"content":"third-party services","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"third-party services","href":null},{"type":"text","text":{"content":", like ads or tracking — not for sensitive data.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":", like ads or tracking — not for sensitive data.","href":null}],"color":"default"},"archived":false},{"object":"block","id":"293dc9c5-3059-80fe-8af2-e3d0cf4ca320","parent":{"type":"block_id","block_id":"293dc9c5-3059-80eb-b7b7-d27183735b48"},"created_time":"2025-10-21T14:06:00.000Z","last_edited_time":"2025-10-21T14:06:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Risks & notes:","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Risks & notes:","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"293dc9c5-3059-8018-877f-c9a1fb55de19","parent":{"type":"block_id","block_id":"293dc9c5-3059-80eb-b7b7-d27183735b48"},"created_time":"2025-10-21T14:06:00.000Z","last_edited_time":"2025-10-21T14:06:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"Makes the site ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Makes the site ","href":null},{"type":"text","text":{"content":"vulnerable to CSRF","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"vulnerable to CSRF","href":null},{"type":"text","text":{"content":" if used with sensitive cookies.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" if used with sensitive cookies.","href":null}],"color":"default"},"archived":false},{"object":"block","id":"293dc9c5-3059-8058-a84f-f1bb9f7e0360","parent":{"type":"block_id","block_id":"293dc9c5-3059-80eb-b7b7-d27183735b48"},"created_time":"2025-10-21T14:06:00.000Z","last_edited_time":"2025-10-21T15:56:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"Some sites wrongly disable SameSite for all cookies, which can expose them to attacks.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Some sites wrongly disable SameSite for all cookies, which can expose them to attacks.","href":null}],"color":"default"},"archived":false},{"object":"block","id":"293dc9c5-3059-8037-bcc2-de15fca7be07","parent":{"type":"block_id","block_id":"293dc9c5-3059-80eb-b7b7-d27183735b48"},"created_time":"2025-10-21T15:57:00.000Z","last_edited_time":"2025-10-21T15:57:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"When setting a cookie with ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"When setting a cookie with ","href":null},{"type":"text","text":{"content":"SameSite=None","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"SameSite=None","href":null},{"type":"text","text":{"content":", the website must also include the ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":", the website must also include the ","href":null},{"type":"text","text":{"content":"Secure","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"Secure","href":null},{"type":"text","text":{"content":" ","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" ","href":null},{"type":"text","text":{"content":"attribute, which ensures that the cookie is only sent in encrypted messages over HTTPS. Otherwise, browsers will reject the cookie and it won't be set.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"attribute, which ensures that the cookie is only sent in encrypted messages over HTTPS. Otherwise, browsers will reject the cookie and it won't be set.","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"293dc9c5-3059-8027-82a6-d4ced26f9781","parent":{"type":"block_id","block_id":"293dc9c5-3059-80eb-b7b7-d27183735b48"},"created_time":"2025-10-21T14:06:00.000Z","last_edited_time":"2025-10-21T14:06:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Example:","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Example:","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"293dc9c5-3059-8056-95d2-c037ca5a201d","parent":{"type":"block_id","block_id":"293dc9c5-3059-80eb-b7b7-d27183735b48"},"created_time":"2025-10-21T14:06:00.000Z","last_edited_time":"2025-10-21T14:06:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"code","code":{"caption":[],"rich_text":[{"type":"text","text":{"content":"Set-Cookie: trackingId=0F8tgdOhi9ynR1M9wa3ODa; SameSite=None; Secure","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Set-Cookie: trackingId=0F8tgdOhi9ynR1M9wa3ODa; SameSite=None; Secure","href":null}],"language":"plain text"},"archived":false}]},{"object":"block","id":"293dc9c5-3059-805b-9e52-c3b8518f8b5b","parent":{"type":"page_id","page_id":"291dc9c5-3059-80c2-8b54-e01fdaadacd7"},"created_time":"2025-10-21T15:58:00.000Z","last_edited_time":"2025-10-23T01:27:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":true,"in_trash":false,"type":"toggle","toggle":{"rich_text":[{"type":"text","text":{"content":"Bypassing Lax restrictions using GET requests","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Bypassing Lax restrictions using GET requests","href":null}],"color":"default"},"archived":false,"children":[{"object":"block","id":"293dc9c5-3059-80b2-897a-dd239fa8665f","parent":{"type":"block_id","block_id":"293dc9c5-3059-805b-9e52-c3b8518f8b5b"},"created_time":"2025-10-21T15:59:00.000Z","last_edited_time":"2025-10-21T16:00:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Some servers accept both ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Some servers accept both ","href":null},{"type":"text","text":{"content":"GET","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"GET","href":null},{"type":"text","text":{"content":" and ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" and ","href":null},{"type":"text","text":{"content":"POST","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"POST","href":null},{"type":"text","text":{"content":" for the same endpoint. If the site’s session cookie uses ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" for the same endpoint. If the site’s session cookie uses ","href":null},{"type":"text","text":{"content":"SameSite=Lax","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"SameSite=Lax","href":null},{"type":"text","text":{"content":" (explicitly or by browser default), you can sometimes perform CSRF by forcing the victim’s browser to make a top-level GET navigation — the browser will include the session cookie for such navigations.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" (explicitly or by browser default), you can sometimes perform CSRF by forcing the victim’s browser to make a top-level GET navigation — the browser will include the session cookie for such navigations.","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"293dc9c5-3059-8076-86dd-fe9e37f1870d","parent":{"type":"block_id","block_id":"293dc9c5-3059-805b-9e52-c3b8518f8b5b"},"created_time":"2025-10-21T15:59:00.000Z","last_edited_time":"2025-10-21T15:59:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"One simple technique is to redirect the user with JavaScript:","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"One simple technique is to redirect the user with JavaScript:","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"293dc9c5-3059-80e4-a43c-d3b276bcd334","parent":{"type":"block_id","block_id":"293dc9c5-3059-805b-9e52-c3b8518f8b5b"},"created_time":"2025-10-21T15:59:00.000Z","last_edited_time":"2025-10-21T16:08:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"code","code":{"caption":[],"rich_text":[{"type":"text","text":{"content":"\n\n\n\nClick for free money!","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"\n\n\n\nClick for free money!","href":null}],"language":"html"},"archived":false},{"object":"block","id":"293dc9c5-3059-806b-9916-fdec073ffa1d","parent":{"type":"block_id","block_id":"293dc9c5-3059-805b-9e52-c3b8518f8b5b"},"created_time":"2025-10-21T15:59:00.000Z","last_edited_time":"2025-10-23T00:55:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Even if ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Even if ","href":null},{"type":"text","text":{"content":"GET","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"GET","href":null},{"type":"text","text":{"content":" request isn't allowed ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" request isn't allowed ","href":null},{"type":"text","text":{"content":"by the server and you want to send a GET request to make the browser fetch the cookies","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"by the server and you want to send a GET request to make the browser fetch the cookies","href":null},{"type":"text","text":{"content":", some frameworks honor a method-override parameter and will treat the request as a GET for routing. For example, Symfony supports ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":", some frameworks honor a method-override parameter and will treat the request as a GET for routing. For example, Symfony supports ","href":null},{"type":"text","text":{"content":"_method","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"_method","href":null},{"type":"text","text":{"content":" in forms:","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" in forms:","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"293dc9c5-3059-800f-bed0-eb4ceaf0120e","parent":{"type":"block_id","block_id":"293dc9c5-3059-805b-9e52-c3b8518f8b5b"},"created_time":"2025-10-21T15:59:00.000Z","last_edited_time":"2025-10-23T00:56:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"code","code":{"caption":[],"rich_text":[{"type":"text","text":{"content":"","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"","href":null}],"language":"html"},"archived":false},{"object":"block","id":"293dc9c5-3059-80ec-8b70-f08b844d8991","parent":{"type":"block_id","block_id":"293dc9c5-3059-805b-9e52-c3b8518f8b5b"},"created_time":"2025-10-21T16:14:00.000Z","last_edited_time":"2025-10-23T01:29:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"This makes the browser see a ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"This makes the browser see a ","href":null},{"type":"text","text":{"content":"GET ","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"GET ","href":null},{"type":"text","text":{"content":"request → fetch the cookies → then the server handle the request as a ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"request → fetch the cookies → then the server handle the request as a ","href":null},{"type":"text","text":{"content":"POST ","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"POST ","href":null},{"type":"text","text":{"content":"because of the method override.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"because of the method override.","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"293dc9c5-3059-80cd-a504-cf81821c0bcd","parent":{"type":"block_id","block_id":"293dc9c5-3059-805b-9e52-c3b8518f8b5b"},"created_time":"2025-10-21T15:59:00.000Z","last_edited_time":"2025-10-21T15:59:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Other frameworks have similar method-override mechanisms that can be abused the same way.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Other frameworks have similar method-override mechanisms that can be abused the same way.","href":null}],"icon":null,"color":"default"},"archived":false}]},{"object":"block","id":"293dc9c5-3059-80f6-8b9c-ef913d5ba84a","parent":{"type":"page_id","page_id":"291dc9c5-3059-80c2-8b54-e01fdaadacd7"},"created_time":"2025-10-21T16:49:00.000Z","last_edited_time":"2025-10-21T17:06:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":true,"in_trash":false,"type":"toggle","toggle":{"rich_text":[{"type":"text","text":{"content":"Bypassing SameSite restrictions using on-site gadgets","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Bypassing SameSite restrictions using on-site gadgets","href":null}],"color":"default"},"archived":false,"children":[{"object":"block","id":"293dc9c5-3059-803d-942c-cebcddf070e2","parent":{"type":"block_id","block_id":"293dc9c5-3059-80f6-8b9c-ef913d5ba84a"},"created_time":"2025-10-21T17:04:00.000Z","last_edited_time":"2025-10-21T17:04:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"If a cookie is set to ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"If a cookie is set to ","href":null},{"type":"text","text":{"content":"SameSite=Strict","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"SameSite=Strict","href":null},{"type":"text","text":{"content":", browsers will not send it with requests that come from other websites. But you might still be able to force the browser to make a request that the browser treats as ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":", browsers will not send it with requests that come from other websites. But you might still be able to force the browser to make a request that the browser treats as ","href":null},{"type":"text","text":{"content":"same-site","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"same-site","href":null},{"type":"text","text":{"content":", so the cookie gets sent.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":", so the cookie gets sent.","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"293dc9c5-3059-8002-89df-d120b18c1e83","parent":{"type":"block_id","block_id":"293dc9c5-3059-80f6-8b9c-ef913d5ba84a"},"created_time":"2025-10-21T17:04:00.000Z","last_edited_time":"2025-10-21T17:04:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"How that can happen:","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"How that can happen:","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"293dc9c5-3059-800e-962e-edf7a563fa7e","parent":{"type":"block_id","block_id":"293dc9c5-3059-80f6-8b9c-ef913d5ba84a"},"created_time":"2025-10-21T17:04:00.000Z","last_edited_time":"2025-10-21T17:04:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"Some pages on the target site have client-side code (JavaScript) that builds a URL from input it gets in the page (for example, from URL parameters) and then navigates the browser there. That looks like a redirect in the page, but the browser treats the resulting request as a fresh same-site navigation.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Some pages on the target site have client-side code (JavaScript) that builds a URL from input it gets in the page (for example, from URL parameters) and then navigates the browser there. That looks like a redirect in the page, but the browser treats the resulting request as a fresh same-site navigation.","href":null}],"color":"default"},"archived":false},{"object":"block","id":"293dc9c5-3059-8074-be0b-ca69212c6cae","parent":{"type":"block_id","block_id":"293dc9c5-3059-80f6-8b9c-ef913d5ba84a"},"created_time":"2025-10-21T17:04:00.000Z","last_edited_time":"2025-10-21T17:04:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"Because the browser sees it as a same-site request, it will include the site’s cookies — even cookies marked ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Because the browser sees it as a same-site request, it will include the site’s cookies — even cookies marked ","href":null},{"type":"text","text":{"content":"SameSite=Strict","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"SameSite=Strict","href":null},{"type":"text","text":{"content":".","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":".","href":null}],"color":"default"},"archived":false},{"object":"block","id":"293dc9c5-3059-803c-80ff-ffda4fe525ab","parent":{"type":"block_id","block_id":"293dc9c5-3059-80f6-8b9c-ef913d5ba84a"},"created_time":"2025-10-21T17:04:00.000Z","last_edited_time":"2025-10-21T17:04:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"So if an attacker can control the input that the page uses to build that internal navigation, they can cause the victim’s browser to make a malicious same-site request that includes the Strict cookie — effectively bypassing the SameSite restriction.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"So if an attacker can control the input that the page uses to build that internal navigation, they can cause the victim’s browser to make a malicious same-site request that includes the Strict cookie — effectively bypassing the SameSite restriction.","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"293dc9c5-3059-805d-b63d-eebcdeb0da99","parent":{"type":"block_id","block_id":"293dc9c5-3059-80f6-8b9c-ef913d5ba84a"},"created_time":"2025-10-21T17:04:00.000Z","last_edited_time":"2025-10-21T17:04:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Important contrast:","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Important contrast:","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"293dc9c5-3059-8089-9f28-ccf02e762291","parent":{"type":"block_id","block_id":"293dc9c5-3059-80f6-8b9c-ef913d5ba84a"},"created_time":"2025-10-21T17:04:00.000Z","last_edited_time":"2025-10-21T17:04:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"This trick only works with ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"This trick only works with ","href":null},{"type":"text","text":{"content":"client-side","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"client-side","href":null},{"type":"text","text":{"content":" redirects (made by JavaScript in the page).","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" redirects (made by JavaScript in the page).","href":null}],"color":"default"},"archived":false},{"object":"block","id":"293dc9c5-3059-803b-82aa-e2e47a7550a8","parent":{"type":"block_id","block_id":"293dc9c5-3059-80f6-8b9c-ef913d5ba84a"},"created_time":"2025-10-21T17:04:00.000Z","last_edited_time":"2025-10-21T17:04:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"It does ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"It does ","href":null},{"type":"text","text":{"content":"not","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"not","href":null},{"type":"text","text":{"content":" work with ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" work with ","href":null},{"type":"text","text":{"content":"server-side","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"server-side","href":null},{"type":"text","text":{"content":" redirects. For server redirects, the browser knows the request originated from a cross-site context and still blocks cookies according to SameSite rules.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" redirects. For server redirects, the browser knows the request originated from a cross-site context and still blocks cookies according to SameSite rules.","href":null}],"color":"default"},"archived":false},{"object":"block","id":"293dc9c5-3059-8011-91a4-f7d7a8a16bc3","parent":{"type":"block_id","block_id":"293dc9c5-3059-80f6-8b9c-ef913d5ba84a"},"created_time":"2025-10-21T17:06:00.000Z","last_edited_time":"2025-10-21T17:06:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"quote","quote":{"rich_text":[{"type":"text","text":{"content":"Note","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Note","href":null},{"type":"text","text":{"content":"\nThis is a ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"\nThis is a ","href":null},{"type":"text","text":{"content":"DOM‑based","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"DOM‑based","href":null},{"type":"text","text":{"content":" vulnerability (specifically a DOM‑based open redirect/gadget), not a server‑side one.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" vulnerability (specifically a DOM‑based open redirect/gadget), not a server‑side one.","href":null}],"color":"default"},"archived":false}]},{"object":"block","id":"293dc9c5-3059-80f4-9e06-c1dd48edc36d","parent":{"type":"page_id","page_id":"291dc9c5-3059-80c2-8b54-e01fdaadacd7"},"created_time":"2025-10-21T17:07:00.000Z","last_edited_time":"2025-10-21T17:12:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":true,"in_trash":false,"type":"toggle","toggle":{"rich_text":[{"type":"text","text":{"content":"Bypassing SameSite restrictions via vulnerable sibling domains","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Bypassing SameSite restrictions via vulnerable sibling domains","href":null}],"color":"default"},"archived":false,"children":[{"object":"block","id":"293dc9c5-3059-8014-8d73-d5e076430642","parent":{"type":"block_id","block_id":"293dc9c5-3059-80f4-9e06-c1dd48edc36d"},"created_time":"2025-10-21T17:12:00.000Z","last_edited_time":"2025-10-21T18:47:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Even if a request comes from a different origin, browsers can still treat it as ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Even if a request comes from a different origin, browsers can still treat it as ","href":null},{"type":"text","text":{"content":"same‑site","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"same‑site","href":null},{"type":"text","text":{"content":". That means problems on sibling domains (other sites you control under the same organization) can let an attacker act as if they’re on the same site and access site-level protections.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":". That means problems on sibling domains (other sites you control under the same organization) can let an attacker act as if they’re on the same site and access site-level protections.","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"293dc9c5-3059-802f-85df-eaad337a47b9","parent":{"type":"block_id","block_id":"293dc9c5-3059-80f4-9e06-c1dd48edc36d"},"created_time":"2025-10-21T17:12:00.000Z","last_edited_time":"2025-10-21T17:12:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"If an attacker can make a secondary request from a sibling domain — for example by exploiting ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"If an attacker can make a secondary request from a sibling domain — for example by exploiting ","href":null},{"type":"text","text":{"content":"XSS","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"XSS","href":null},{"type":"text","text":{"content":" on that sibling — they can bypass SameSite and other site-based defenses and attack the whole group of domains. The same idea applies to WebSockets: a cross-site WebSocket handshake can be abused (CSWSH) just like CSRF.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" on that sibling — they can bypass SameSite and other site-based defenses and attack the whole group of domains. The same idea applies to WebSockets: a cross-site WebSocket handshake can be abused (CSWSH) just like CSRF.","href":null}],"icon":null,"color":"default"},"archived":false}]},{"object":"block","id":"293dc9c5-3059-80d2-ae44-f044ad86d9b9","parent":{"type":"page_id","page_id":"291dc9c5-3059-80c2-8b54-e01fdaadacd7"},"created_time":"2025-10-21T17:12:00.000Z","last_edited_time":"2025-10-21T17:18:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":true,"in_trash":false,"type":"toggle","toggle":{"rich_text":[{"type":"text","text":{"content":"Bypassing SameSite Lax restrictions with newly issued cookies","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Bypassing SameSite Lax restrictions with newly issued cookies","href":null}],"color":"default"},"archived":false,"children":[{"object":"block","id":"293dc9c5-3059-8058-85de-f2cce52e6b4a","parent":{"type":"block_id","block_id":"293dc9c5-3059-80d2-ae44-f044ad86d9b9"},"created_time":"2025-10-21T17:17:00.000Z","last_edited_time":"2025-10-21T17:17:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Cookies with ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Cookies with ","href":null},{"type":"text","text":{"content":"Lax","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"Lax","href":null},{"type":"text","text":{"content":" SameSite restrictions are not normally sent in cross-site ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" SameSite restrictions are not normally sent in cross-site ","href":null},{"type":"text","text":{"content":"POST","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"POST","href":null},{"type":"text","text":{"content":" requests, but there are exceptions.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" requests, but there are exceptions.","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"293dc9c5-3059-8053-ba95-f6a29e42c3b3","parent":{"type":"block_id","block_id":"293dc9c5-3059-80d2-ae44-f044ad86d9b9"},"created_time":"2025-10-21T17:17:00.000Z","last_edited_time":"2025-10-21T17:17:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"When a website doesn't include a ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"When a website doesn't include a ","href":null},{"type":"text","text":{"content":"SameSite","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"SameSite","href":null},{"type":"text","text":{"content":" attribute when setting a cookie, Chrome automatically applies ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" attribute when setting a cookie, Chrome automatically applies ","href":null},{"type":"text","text":{"content":"Lax","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"Lax","href":null},{"type":"text","text":{"content":" restrictions but does not enforce them for the first 120 seconds on top-level ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" restrictions but does not enforce them for the first 120 seconds on top-level ","href":null},{"type":"text","text":{"content":"POST","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"POST","href":null},{"type":"text","text":{"content":" requests. This creates a two-minute window where users may be vulnerable to cross-site attacks.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" requests. This creates a two-minute window where users may be vulnerable to cross-site attacks.","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"293dc9c5-3059-808e-90f5-ccf52db088af","parent":{"type":"block_id","block_id":"293dc9c5-3059-80d2-ae44-f044ad86d9b9"},"created_time":"2025-10-21T17:17:00.000Z","last_edited_time":"2025-10-21T17:17:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":true,"in_trash":false,"type":"quote","quote":{"rich_text":[{"type":"text","text":{"content":"Note","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Note","href":null}],"color":"default"},"archived":false,"children":[{"object":"block","id":"293dc9c5-3059-80af-97e3-f71ab45adf88","parent":{"type":"block_id","block_id":"293dc9c5-3059-808e-90f5-ccf52db088af"},"created_time":"2025-10-21T17:17:00.000Z","last_edited_time":"2025-10-21T17:17:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"This two-minute window does not apply to cookies that were explicitly set with the ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"This two-minute window does not apply to cookies that were explicitly set with the ","href":null},{"type":"text","text":{"content":"SameSite=Lax","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"SameSite=Lax","href":null},{"type":"text","text":{"content":" attribute.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" attribute.","href":null}],"icon":null,"color":"default"},"archived":false}]},{"object":"block","id":"293dc9c5-3059-80c9-9459-e821eee15354","parent":{"type":"block_id","block_id":"293dc9c5-3059-80d2-ae44-f044ad86d9b9"},"created_time":"2025-10-21T17:17:00.000Z","last_edited_time":"2025-10-21T17:17:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"While timing an attack within this short window is impractical, if you can find a way to force the victim to be issued a new session cookie, you can refresh their cookie before launching the main attack. For example, completing an OAuth-based login flow may result in a new session each time.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"While timing an attack within this short window is impractical, if you can find a way to force the victim to be issued a new session cookie, you can refresh their cookie before launching the main attack. For example, completing an OAuth-based login flow may result in a new session each time.","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"293dc9c5-3059-80ec-b388-de5db1843da9","parent":{"type":"block_id","block_id":"293dc9c5-3059-80d2-ae44-f044ad86d9b9"},"created_time":"2025-10-21T17:17:00.000Z","last_edited_time":"2025-10-21T17:17:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"To trigger the cookie refresh without requiring the victim to manually log in again, you need to use a top-level navigation that includes their current OAuth session cookies. This creates an additional challenge because you then need to redirect the user back to your site to launch the CSRF attack.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"To trigger the cookie refresh without requiring the victim to manually log in again, you need to use a top-level navigation that includes their current OAuth session cookies. This creates an additional challenge because you then need to redirect the user back to your site to launch the CSRF attack.","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"293dc9c5-3059-8096-b403-f450d2ad9b38","parent":{"type":"block_id","block_id":"293dc9c5-3059-80d2-ae44-f044ad86d9b9"},"created_time":"2025-10-21T17:17:00.000Z","last_edited_time":"2025-10-21T17:17:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Alternatively, you can trigger the cookie refresh from a new tab so the browser doesn't leave the page before delivering the final attack. However, browsers block popup tabs unless they are opened through manual interaction. For example, this popup would be blocked by default:","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Alternatively, you can trigger the cookie refresh from a new tab so the browser doesn't leave the page before delivering the final attack. However, browsers block popup tabs unless they are opened through manual interaction. For example, this popup would be blocked by default:","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"293dc9c5-3059-802d-a121-d9f1568438b8","parent":{"type":"block_id","block_id":"293dc9c5-3059-80d2-ae44-f044ad86d9b9"},"created_time":"2025-10-21T17:17:00.000Z","last_edited_time":"2025-10-21T17:18:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"code","code":{"caption":[],"rich_text":[{"type":"text","text":{"content":"window.open('https://vulnerable-website.com/login/sso');","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"window.open('https://vulnerable-website.com/login/sso');","href":null}],"language":"javascript"},"archived":false},{"object":"block","id":"293dc9c5-3059-80c0-937e-f1235c8551df","parent":{"type":"block_id","block_id":"293dc9c5-3059-80d2-ae44-f044ad86d9b9"},"created_time":"2025-10-21T17:17:00.000Z","last_edited_time":"2025-10-21T17:17:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"To avoid this, you can wrap the statement in an ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"To avoid this, you can wrap the statement in an ","href":null},{"type":"text","text":{"content":"onclick","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"onclick","href":null},{"type":"text","text":{"content":" event handler:","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" event handler:","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"293dc9c5-3059-803f-a9d5-dd638b9804d4","parent":{"type":"block_id","block_id":"293dc9c5-3059-80d2-ae44-f044ad86d9b9"},"created_time":"2025-10-21T17:17:00.000Z","last_edited_time":"2025-10-21T17:18:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"code","code":{"caption":[],"rich_text":[{"type":"text","text":{"content":"window.onclick = () => {\n window.open('https://vulnerable-website.com/login/sso');\n}","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"window.onclick = () => {\n window.open('https://vulnerable-website.com/login/sso');\n}","href":null}],"language":"javascript"},"archived":false},{"object":"block","id":"293dc9c5-3059-8065-a214-f1c8735bc256","parent":{"type":"block_id","block_id":"293dc9c5-3059-80d2-ae44-f044ad86d9b9"},"created_time":"2025-10-21T17:17:00.000Z","last_edited_time":"2025-10-21T17:17:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"This way, the ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"This way, the ","href":null},{"type":"text","text":{"content":"window.open()","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"window.open()","href":null},{"type":"text","text":{"content":" method is only invoked when the user clicks somewhere on the page.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" method is only invoked when the user clicks somewhere on the page.","href":null}],"icon":null,"color":"default"},"archived":false}]},{"object":"block","id":"294dc9c5-3059-80ac-b925-cc0a437e1a6c","parent":{"type":"page_id","page_id":"291dc9c5-3059-80c2-8b54-e01fdaadacd7"},"created_time":"2025-10-22T00:56:00.000Z","last_edited_time":"2025-10-22T00:56:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"divider","divider":{},"archived":false},{"object":"block","id":"294dc9c5-3059-8068-92b4-fdff1a101dd0","parent":{"type":"page_id","page_id":"291dc9c5-3059-80c2-8b54-e01fdaadacd7"},"created_time":"2025-10-22T00:57:00.000Z","last_edited_time":"2025-10-23T18:35:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":true,"in_trash":false,"type":"toggle","toggle":{"rich_text":[{"type":"text","text":{"content":"Bypassing Referer-based CSRF defenses","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Bypassing Referer-based CSRF defenses","href":null}],"color":"default"},"archived":false,"children":[{"object":"block","id":"295dc9c5-3059-8077-995f-e8b04f1e4af1","parent":{"type":"block_id","block_id":"294dc9c5-3059-8068-92b4-fdff1a101dd0"},"created_time":"2025-10-23T18:35:00.000Z","last_edited_time":"2025-10-23T18:35:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Aside from CSRF tokens, some apps try to use the HTTP ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Aside from CSRF tokens, some apps try to use the HTTP ","href":null},{"type":"text","text":{"content":"Referer","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"Referer","href":null},{"type":"text","text":{"content":" header to block cross-site requests by checking that the request came from the app’s own domain. This is weaker than token-based protection and often bypassable.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" header to block cross-site requests by checking that the request came from the app’s own domain. This is weaker than token-based protection and often bypassable.","href":null}],"icon":null,"color":"default"},"archived":false}]},{"object":"block","id":"295dc9c5-3059-80e5-9720-c63ae0a280cf","parent":{"type":"page_id","page_id":"291dc9c5-3059-80c2-8b54-e01fdaadacd7"},"created_time":"2025-10-23T18:34:00.000Z","last_edited_time":"2025-10-23T18:36:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":true,"in_trash":false,"type":"toggle","toggle":{"rich_text":[{"type":"text","text":{"content":"Referer header","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Referer header","href":null}],"color":"default"},"archived":false,"children":[{"object":"block","id":"295dc9c5-3059-8028-8a7b-c065543aaa32","parent":{"type":"block_id","block_id":"295dc9c5-3059-80e5-9720-c63ae0a280cf"},"created_time":"2025-10-23T18:36:00.000Z","last_edited_time":"2025-10-23T18:36:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"The ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"The ","href":null},{"type":"text","text":{"content":"Referer","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"Referer","href":null},{"type":"text","text":{"content":" header is optional and is automatically added by browsers when a user triggers an HTTP request (for example by clicking a link or submitting a form). Browsers may also withhold or modify it for privacy reasons.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" header is optional and is automatically added by browsers when a user triggers an HTTP request (for example by clicking a link or submitting a form). Browsers may also withhold or modify it for privacy reasons.","href":null}],"icon":null,"color":"default"},"archived":false}]},{"object":"block","id":"295dc9c5-3059-80d5-b58e-dbdf67a756e8","parent":{"type":"page_id","page_id":"291dc9c5-3059-80c2-8b54-e01fdaadacd7"},"created_time":"2025-10-23T18:34:00.000Z","last_edited_time":"2025-10-23T18:37:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":true,"in_trash":false,"type":"toggle","toggle":{"rich_text":[{"type":"text","text":{"content":"Validation of Referer depends on header being present","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Validation of Referer depends on header being present","href":null}],"color":"default"},"archived":false,"children":[{"object":"block","id":"295dc9c5-3059-8011-92ed-eda560c8a64e","parent":{"type":"block_id","block_id":"295dc9c5-3059-80d5-b58e-dbdf67a756e8"},"created_time":"2025-10-23T18:37:00.000Z","last_edited_time":"2025-10-23T18:37:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"If an application only validates the ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"If an application only validates the ","href":null},{"type":"text","text":{"content":"Referer","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"Referer","href":null},{"type":"text","text":{"content":" when it is present but does nothing when the header is missing, an attacker can craft an exploit that causes the victim’s browser to drop the ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" when it is present but does nothing when the header is missing, an attacker can craft an exploit that causes the victim’s browser to drop the ","href":null},{"type":"text","text":{"content":"Referer","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"Referer","href":null},{"type":"text","text":{"content":". The easiest way to do this is to host the CSRF page with a meta-referrer tag, for example:","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":". The easiest way to do this is to host the CSRF page with a meta-referrer tag, for example:","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"295dc9c5-3059-807f-b7a9-cff9a87a9229","parent":{"type":"block_id","block_id":"295dc9c5-3059-80d5-b58e-dbdf67a756e8"},"created_time":"2025-10-23T18:37:00.000Z","last_edited_time":"2025-10-23T18:37:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"code","code":{"caption":[],"rich_text":[{"type":"text","text":{"content":"","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"","href":null}],"language":"html"},"archived":false}]},{"object":"block","id":"295dc9c5-3059-8087-b6f5-d083f05fef4a","parent":{"type":"page_id","page_id":"291dc9c5-3059-80c2-8b54-e01fdaadacd7"},"created_time":"2025-10-23T18:34:00.000Z","last_edited_time":"2025-10-23T20:44:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":true,"in_trash":false,"type":"toggle","toggle":{"rich_text":[{"type":"text","text":{"content":"Validation of Referer can be circumvented","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Validation of Referer can be circumvented","href":null}],"color":"default"},"archived":false,"children":[{"object":"block","id":"295dc9c5-3059-804c-8f29-fed7aa3b6449","parent":{"type":"block_id","block_id":"295dc9c5-3059-8087-b6f5-d083f05fef4a"},"created_time":"2025-10-23T18:55:00.000Z","last_edited_time":"2025-10-23T18:56:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Bypass Method 1: Subdomain Trick","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Bypass Method 1: Subdomain Trick","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"295dc9c5-3059-80a4-ba83-dba8f8a14a1c","parent":{"type":"block_id","block_id":"295dc9c5-3059-8087-b6f5-d083f05fef4a"},"created_time":"2025-10-23T18:55:00.000Z","last_edited_time":"2025-10-23T18:55:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"Faulty Validation:","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Faulty Validation:","href":null},{"type":"text","text":{"content":" The application checks if the Referer ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" The application checks if the Referer ","href":null},{"type":"text","text":{"content":"starts with","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"starts with","href":null},{"type":"text","text":{"content":" ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" ","href":null},{"type":"text","text":{"content":"https://vulnerable-website.com","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"https://vulnerable-website.com","href":null},{"type":"text","text":{"content":".","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":".","href":null}],"color":"default"},"archived":false},{"object":"block","id":"295dc9c5-3059-805b-a4c5-ffbedd3c8c5c","parent":{"type":"block_id","block_id":"295dc9c5-3059-8087-b6f5-d083f05fef4a"},"created_time":"2025-10-23T18:55:00.000Z","last_edited_time":"2025-10-23T18:55:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":true,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"The Bypass:","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"The Bypass:","href":null},{"type":"text","text":{"content":" An attacker can create a domain they control that ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" An attacker can create a domain they control that ","href":null},{"type":"text","text":{"content":"begins with","link":null},"annotations":{"bold":false,"italic":true,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"begins with","href":null},{"type":"text","text":{"content":" the target domain.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" the target domain.","href":null}],"color":"default"},"archived":false,"children":[{"object":"block","id":"295dc9c5-3059-8087-a470-d3beccda328a","parent":{"type":"block_id","block_id":"295dc9c5-3059-805b-a4c5-ffbedd3c8c5c"},"created_time":"2025-10-23T18:55:00.000Z","last_edited_time":"2025-10-23T18:56:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"code","code":{"caption":[],"rich_text":[{"type":"text","text":{"content":"http://","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"http://","href":null},{"type":"text","text":{"content":"vulnerable-website.com","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"vulnerable-website.com","href":null},{"type":"text","text":{"content":".attacker-website.com/csrf-attack","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":".attacker-website.com/csrf-attack","href":null}],"language":"javascript"},"archived":false}]},{"object":"block","id":"295dc9c5-3059-80a7-9474-f15400e5ffd6","parent":{"type":"block_id","block_id":"295dc9c5-3059-8087-b6f5-d083f05fef4a"},"created_time":"2025-10-23T18:55:00.000Z","last_edited_time":"2025-10-23T18:55:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":true,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"How it Works:","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"How it Works:","href":null}],"color":"default"},"archived":false,"children":[{"object":"block","id":"295dc9c5-3059-803d-97a7-e13659d0e426","parent":{"type":"block_id","block_id":"295dc9c5-3059-80a7-9474-f15400e5ffd6"},"created_time":"2025-10-23T18:55:00.000Z","last_edited_time":"2025-10-23T18:55:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"numbered_list_item","numbered_list_item":{"rich_text":[{"type":"text","text":{"content":"The victim is tricked into visiting the attacker's page at the above URL.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"The victim is tricked into visiting the attacker's page at the above URL.","href":null}],"color":"default"},"archived":false},{"object":"block","id":"295dc9c5-3059-804c-8555-da827adf9f28","parent":{"type":"block_id","block_id":"295dc9c5-3059-80a7-9474-f15400e5ffd6"},"created_time":"2025-10-23T18:55:00.000Z","last_edited_time":"2025-10-23T18:55:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"numbered_list_item","numbered_list_item":{"rich_text":[{"type":"text","text":{"content":"That page contains a hidden form that submits a malicious request to the ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"That page contains a hidden form that submits a malicious request to the ","href":null},{"type":"text","text":{"content":"real","link":null},"annotations":{"bold":false,"italic":true,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"real","href":null},{"type":"text","text":{"content":" ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" ","href":null},{"type":"text","text":{"content":"vulnerable-website.com","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"vulnerable-website.com","href":null},{"type":"text","text":{"content":".","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":".","href":null}],"color":"default"},"archived":false},{"object":"block","id":"295dc9c5-3059-8062-a8db-c9a191c7826d","parent":{"type":"block_id","block_id":"295dc9c5-3059-80a7-9474-f15400e5ffd6"},"created_time":"2025-10-23T18:55:00.000Z","last_edited_time":"2025-10-23T18:55:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"numbered_list_item","numbered_list_item":{"rich_text":[{"type":"text","text":{"content":"When the browser sends this malicious request, the Referer header will be: ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"When the browser sends this malicious request, the Referer header will be: ","href":null},{"type":"text","text":{"content":"http://vulnerable-website.com.attacker-website.com/csrf-attack","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"http://vulnerable-website.com.attacker-website.com/csrf-attack","href":null},{"type":"text","text":{"content":".","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":".","href":null}],"color":"default"},"archived":false},{"object":"block","id":"295dc9c5-3059-80a9-9fcc-e92ec23cc719","parent":{"type":"block_id","block_id":"295dc9c5-3059-80a7-9474-f15400e5ffd6"},"created_time":"2025-10-23T18:55:00.000Z","last_edited_time":"2025-10-23T18:55:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"numbered_list_item","numbered_list_item":{"rich_text":[{"type":"text","text":{"content":"The application checks: \"Does the Referer start with ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"The application checks: \"Does the Referer start with ","href":null},{"type":"text","text":{"content":"vulnerable-website.com","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"vulnerable-website.com","href":null},{"type":"text","text":{"content":"?\" Yes, it does! The validation passes, and the CSRF attack is successful.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"?\" Yes, it does! The validation passes, and the CSRF attack is successful.","href":null}],"color":"default"},"archived":false}]},{"object":"block","id":"295dc9c5-3059-8075-8520-c73f8263b964","parent":{"type":"block_id","block_id":"295dc9c5-3059-8087-b6f5-d083f05fef4a"},"created_time":"2025-10-23T18:55:00.000Z","last_edited_time":"2025-10-23T18:56:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"divider","divider":{},"archived":false},{"object":"block","id":"295dc9c5-3059-80de-af21-c6bfaa5966e7","parent":{"type":"block_id","block_id":"295dc9c5-3059-8087-b6f5-d083f05fef4a"},"created_time":"2025-10-23T18:55:00.000Z","last_edited_time":"2025-10-23T20:44:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Bypass Method 2: Query String Trick","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Bypass Method 2: Query String Trick","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"295dc9c5-3059-8040-accc-f538c5e3b2e9","parent":{"type":"block_id","block_id":"295dc9c5-3059-8087-b6f5-d083f05fef4a"},"created_time":"2025-10-23T18:55:00.000Z","last_edited_time":"2025-10-23T18:55:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"Faulty Validation:","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Faulty Validation:","href":null},{"type":"text","text":{"content":" The application checks if the Referer ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" The application checks if the Referer ","href":null},{"type":"text","text":{"content":"contains","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"contains","href":null},{"type":"text","text":{"content":" the string ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" the string ","href":null},{"type":"text","text":{"content":"vulnerable-website.com","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"vulnerable-website.com","href":null},{"type":"text","text":{"content":" anywhere inside it.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" anywhere inside it.","href":null}],"color":"default"},"archived":false},{"object":"block","id":"295dc9c5-3059-805a-977d-fed68a620e8a","parent":{"type":"block_id","block_id":"295dc9c5-3059-8087-b6f5-d083f05fef4a"},"created_time":"2025-10-23T18:55:00.000Z","last_edited_time":"2025-10-23T18:55:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":true,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"The Bypass:","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"The Bypass:","href":null},{"type":"text","text":{"content":" The attacker can place the required domain name in the query string (parameters) of their own URL.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" The attacker can place the required domain name in the query string (parameters) of their own URL.","href":null}],"color":"default"},"archived":false,"children":[{"object":"block","id":"295dc9c5-3059-805c-9d7a-fc0fd1244b8b","parent":{"type":"block_id","block_id":"295dc9c5-3059-805a-977d-fed68a620e8a"},"created_time":"2025-10-23T18:55:00.000Z","last_edited_time":"2025-10-23T18:57:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"code","code":{"caption":[],"rich_text":[{"type":"text","text":{"content":"http://attacker-website.com/csrf-attack?","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"http://attacker-website.com/csrf-attack?","href":null},{"type":"text","text":{"content":"vulnerable-website.com","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"vulnerable-website.com","href":null}],"language":"javascript"},"archived":false}]},{"object":"block","id":"295dc9c5-3059-8036-8672-d0b0c8fdba46","parent":{"type":"block_id","block_id":"295dc9c5-3059-8087-b6f5-d083f05fef4a"},"created_time":"2025-10-23T18:55:00.000Z","last_edited_time":"2025-10-23T18:55:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":true,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"How it Works:","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"How it Works:","href":null}],"color":"default"},"archived":false,"children":[{"object":"block","id":"295dc9c5-3059-808a-83ca-fd2106b103d2","parent":{"type":"block_id","block_id":"295dc9c5-3059-8036-8672-d0b0c8fdba46"},"created_time":"2025-10-23T18:55:00.000Z","last_edited_time":"2025-10-23T18:55:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"numbered_list_item","numbered_list_item":{"rich_text":[{"type":"text","text":{"content":"The victim visits the attacker's page.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"The victim visits the attacker's page.","href":null}],"color":"default"},"archived":false},{"object":"block","id":"295dc9c5-3059-80fa-a64e-e90663dd3f0f","parent":{"type":"block_id","block_id":"295dc9c5-3059-8036-8672-d0b0c8fdba46"},"created_time":"2025-10-23T18:55:00.000Z","last_edited_time":"2025-10-23T18:55:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"numbered_list_item","numbered_list_item":{"rich_text":[{"type":"text","text":{"content":"The malicious request is generated. The Referer header would be the full URL: ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"The malicious request is generated. The Referer header would be the full URL: ","href":null},{"type":"text","text":{"content":"http://attacker-website.com/csrf-attack?vulnerable-website.com","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"http://attacker-website.com/csrf-attack?vulnerable-website.com","href":null},{"type":"text","text":{"content":".","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":".","href":null}],"color":"default"},"archived":false},{"object":"block","id":"295dc9c5-3059-80af-b601-d374b747bfb7","parent":{"type":"block_id","block_id":"295dc9c5-3059-8036-8672-d0b0c8fdba46"},"created_time":"2025-10-23T18:55:00.000Z","last_edited_time":"2025-10-23T18:55:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"numbered_list_item","numbered_list_item":{"rich_text":[{"type":"text","text":{"content":"The application checks: \"Does the Referer contain ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"The application checks: \"Does the Referer contain ","href":null},{"type":"text","text":{"content":"vulnerable-website.com","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"vulnerable-website.com","href":null},{"type":"text","text":{"content":"?\" Yes, it's right there in the query string! The validation passes.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"?\" Yes, it's right there in the query string! The validation passes.","href":null}],"color":"default"},"archived":false}]},{"object":"block","id":"295dc9c5-3059-809b-b614-c67f22021c57","parent":{"type":"block_id","block_id":"295dc9c5-3059-8087-b6f5-d083f05fef4a"},"created_time":"2025-10-23T18:59:00.000Z","last_edited_time":"2025-10-23T18:59:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"divider","divider":{},"archived":false},{"object":"block","id":"295dc9c5-3059-804b-bb13-e1fb475a24fe","parent":{"type":"block_id","block_id":"295dc9c5-3059-8087-b6f5-d083f05fef4a"},"created_time":"2025-10-23T18:59:00.000Z","last_edited_time":"2025-10-23T19:00:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"The Modern Complication: Browser Protection (For Method 2)","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"The Modern Complication: Browser Protection (For Method 2)","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"295dc9c5-3059-8075-819a-f8e9c16bcf54","parent":{"type":"block_id","block_id":"295dc9c5-3059-8087-b6f5-d083f05fef4a"},"created_time":"2025-10-23T18:58:00.000Z","last_edited_time":"2025-10-23T18:59:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"The Problem:","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"The Problem:","href":null},{"type":"text","text":{"content":" To protect user privacy, modern browsers (like Chrome, Firefox) often ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" To protect user privacy, modern browsers (like Chrome, Firefox) often ","href":null},{"type":"text","text":{"content":"strip the query string and fragment from the Referer header","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"strip the query string and fragment from the Referer header","href":null},{"type":"text","text":{"content":" by default when making cross-origin requests. This means that in our ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" by default when making cross-origin requests. This means that in our ","href":null},{"type":"text","text":{"content":"\"Method 2\"","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"\"Method 2\"","href":null},{"type":"text","text":{"content":" example, the browser might only send ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" example, the browser might only send ","href":null},{"type":"text","text":{"content":"http://attacker-website.com/","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"http://attacker-website.com/","href":null},{"type":"text","text":{"content":" as the Referer, breaking the attack.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" as the Referer, breaking the attack.","href":null}],"color":"default"},"archived":false},{"object":"block","id":"295dc9c5-3059-804f-98e6-e4f6540f27c4","parent":{"type":"block_id","block_id":"295dc9c5-3059-8087-b6f5-d083f05fef4a"},"created_time":"2025-10-23T18:58:00.000Z","last_edited_time":"2025-10-23T18:59:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":true,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"The Solution for Testing:","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"The Solution for Testing:","href":null},{"type":"text","text":{"content":" To prove the vulnerability exists, you need to force the browser to send the full URL. This is done by setting the ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" To prove the vulnerability exists, you need to force the browser to send the full URL. This is done by setting the ","href":null},{"type":"text","text":{"content":"Referrer-Policy: unsafe-url","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"Referrer-Policy: unsafe-url","href":null},{"type":"text","text":{"content":" HTTP header in the attacker's page response.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" HTTP header in the attacker's page response.","href":null}],"color":"default"},"archived":false,"children":[{"object":"block","id":"295dc9c5-3059-80dc-a89e-e270cb9adead","parent":{"type":"block_id","block_id":"295dc9c5-3059-804f-98e6-e4f6540f27c4"},"created_time":"2025-10-23T18:58:00.000Z","last_edited_time":"2025-10-23T18:59:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"What it does:","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"What it does:","href":null},{"type":"text","text":{"content":" This policy tells the browser, \"Always send the full URL in the Referer header, no matter where the request is going.\"","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" This policy tells the browser, \"Always send the full URL in the Referer header, no matter where the request is going.\"","href":null}],"color":"default"},"archived":false},{"object":"block","id":"295dc9c5-3059-8031-9f69-cfd873eec354","parent":{"type":"block_id","block_id":"295dc9c5-3059-804f-98e6-e4f6540f27c4"},"created_time":"2025-10-23T18:58:00.000Z","last_edited_time":"2025-10-23T18:59:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"Important Spelling:","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Important Spelling:","href":null},{"type":"text","text":{"content":" The header is correctly spelled as ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" The header is correctly spelled as ","href":null},{"type":"text","text":{"content":"Referrer-Policy","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"Referrer-Policy","href":null},{"type":"text","text":{"content":" (with two 'r's followed by 'er'), whereas the HTTP header it controls is ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" (with two 'r's followed by 'er'), whereas the HTTP header it controls is ","href":null},{"type":"text","text":{"content":"Referer","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"Referer","href":null},{"type":"text","text":{"content":" (a historical misspelling).","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" (a historical misspelling).","href":null}],"color":"default"},"archived":false}]}]},{"object":"block","id":"295dc9c5-3059-80d4-8b86-f585e97348fb","parent":{"type":"page_id","page_id":"291dc9c5-3059-80c2-8b54-e01fdaadacd7"},"created_time":"2025-10-23T18:34:00.000Z","last_edited_time":"2025-10-23T18:34:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"divider","divider":{},"archived":false},{"object":"block","id":"295dc9c5-3059-80c8-b3c0-d618b198ebad","parent":{"type":"page_id","page_id":"291dc9c5-3059-80c2-8b54-e01fdaadacd7"},"created_time":"2025-10-23T19:10:00.000Z","last_edited_time":"2025-10-23T19:13:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":true,"in_trash":false,"type":"toggle","toggle":{"rich_text":[{"type":"text","text":{"content":"How to prevent CSRF vulnerabilities","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"How to prevent CSRF vulnerabilities","href":null}],"color":"default"},"archived":false,"children":[{"object":"block","id":"295dc9c5-3059-8099-8912-d024850d8880","parent":{"type":"block_id","block_id":"295dc9c5-3059-80c8-b3c0-d618b198ebad"},"created_time":"2025-10-23T19:11:00.000Z","last_edited_time":"2025-10-23T19:11:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Use CSRF tokens","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Use CSRF tokens","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"295dc9c5-3059-8013-900e-e6b9524e2bf7","parent":{"type":"block_id","block_id":"295dc9c5-3059-80c8-b3c0-d618b198ebad"},"created_time":"2025-10-23T19:10:00.000Z","last_edited_time":"2025-10-23T19:10:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"The strongest defense against CSRF attacks is to use a CSRF token in relevant requests. This token must be:","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"The strongest defense against CSRF attacks is to use a CSRF token in relevant requests. This token must be:","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"295dc9c5-3059-8031-a933-d1be2a15159b","parent":{"type":"block_id","block_id":"295dc9c5-3059-80c8-b3c0-d618b198ebad"},"created_time":"2025-10-23T19:10:00.000Z","last_edited_time":"2025-10-23T19:10:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"Unpredictable and complex.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Unpredictable and complex.","href":null}],"color":"default"},"archived":false},{"object":"block","id":"295dc9c5-3059-8042-9e51-f604bfe74784","parent":{"type":"block_id","block_id":"295dc9c5-3059-80c8-b3c0-d618b198ebad"},"created_time":"2025-10-23T19:10:00.000Z","last_edited_time":"2025-10-23T19:10:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"Linked to the user's session.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Linked to the user's session.","href":null}],"color":"default"},"archived":false},{"object":"block","id":"295dc9c5-3059-8092-aea9-dbe3bd476c7b","parent":{"type":"block_id","block_id":"295dc9c5-3059-80c8-b3c0-d618b198ebad"},"created_time":"2025-10-23T19:10:00.000Z","last_edited_time":"2025-10-23T19:10:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"bulleted_list_item","bulleted_list_item":{"rich_text":[{"type":"text","text":{"content":"Always checked by the server before performing any action.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Always checked by the server before performing any action.","href":null}],"color":"default"},"archived":false},{"object":"block","id":"295dc9c5-3059-80c4-b0ca-c80be24aa270","parent":{"type":"block_id","block_id":"295dc9c5-3059-80c8-b3c0-d618b198ebad"},"created_time":"2025-10-23T19:11:00.000Z","last_edited_time":"2025-10-23T19:11:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"divider","divider":{},"archived":false},{"object":"block","id":"295dc9c5-3059-80d7-9c28-cd23af0dbce9","parent":{"type":"block_id","block_id":"295dc9c5-3059-80c8-b3c0-d618b198ebad"},"created_time":"2025-10-23T19:11:00.000Z","last_edited_time":"2025-10-23T19:11:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"How should CSRF tokens be generated?","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"How should CSRF tokens be generated?","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"295dc9c5-3059-8097-9f7b-c14ead1a0f6e","parent":{"type":"block_id","block_id":"295dc9c5-3059-80c8-b3c0-d618b198ebad"},"created_time":"2025-10-23T19:10:00.000Z","last_edited_time":"2025-10-23T19:10:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"CSRF tokens should be created using a secure random number generator. For extra security, you can combine this random value with user-specific data and then hash the result.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"CSRF tokens should be created using a secure random number generator. For extra security, you can combine this random value with user-specific data and then hash the result.","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"295dc9c5-3059-8084-9227-c6cb2000084a","parent":{"type":"block_id","block_id":"295dc9c5-3059-80c8-b3c0-d618b198ebad"},"created_time":"2025-10-23T19:10:00.000Z","last_edited_time":"2025-10-23T19:10:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Treat CSRF tokens as secrets. A common and safe method is to send the token to the client in a hidden field of an HTML form that uses POST. The token is then sent back as a parameter when the form is submitted:","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Treat CSRF tokens as secrets. A common and safe method is to send the token to the client in a hidden field of an HTML form that uses POST. The token is then sent back as a parameter when the form is submitted:","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"295dc9c5-3059-8098-bf29-dbebafdc184e","parent":{"type":"block_id","block_id":"295dc9c5-3059-80c8-b3c0-d618b198ebad"},"created_time":"2025-10-23T19:10:00.000Z","last_edited_time":"2025-10-23T19:11:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"code","code":{"caption":[],"rich_text":[{"type":"text","text":{"content":"","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"","href":null}],"language":"plain text"},"archived":false},{"object":"block","id":"295dc9c5-3059-80c5-8c79-e4bd560d5657","parent":{"type":"block_id","block_id":"295dc9c5-3059-80c8-b3c0-d618b198ebad"},"created_time":"2025-10-23T19:10:00.000Z","last_edited_time":"2025-10-23T19:10:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Put the CSRF token field early in the HTML, before other inputs or user data, to help prevent attacks. Putting the token in a URL query string is less safe because the query string can be logged, shared with other sites, or shown on screen. Another method is to send the token in a custom request header, which can be more secure but only works with requests made by JavaScript (XHR), not HTML forms. Do not send CSRF tokens in cookies.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Put the CSRF token field early in the HTML, before other inputs or user data, to help prevent attacks. Putting the token in a URL query string is less safe because the query string can be logged, shared with other sites, or shown on screen. Another method is to send the token in a custom request header, which can be more secure but only works with requests made by JavaScript (XHR), not HTML forms. Do not send CSRF tokens in cookies.","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"295dc9c5-3059-8001-a02a-fb0f6655f07b","parent":{"type":"block_id","block_id":"295dc9c5-3059-80c8-b3c0-d618b198ebad"},"created_time":"2025-10-23T19:12:00.000Z","last_edited_time":"2025-10-23T19:12:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"divider","divider":{},"archived":false},{"object":"block","id":"295dc9c5-3059-80db-bca5-fd6286710aba","parent":{"type":"block_id","block_id":"295dc9c5-3059-80c8-b3c0-d618b198ebad"},"created_time":"2025-10-23T19:12:00.000Z","last_edited_time":"2025-10-23T19:12:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"How should CSRF tokens be validated?","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"How should CSRF tokens be validated?","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"295dc9c5-3059-809b-a2c6-f6e11b57fea5","parent":{"type":"block_id","block_id":"295dc9c5-3059-80c8-b3c0-d618b198ebad"},"created_time":"2025-10-23T19:10:00.000Z","last_edited_time":"2025-10-23T19:10:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"When a CSRF token is created, store it in the user's session on the server. When a request needing validation arrives, the server must check that the token in the request matches the one stored in the session. This check must happen for every request, regardless of its method or type. Reject any request that is missing a token or has an invalid token.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"When a CSRF token is created, store it in the user's session on the server. When a request needing validation arrives, the server must check that the token in the request matches the one stored in the session. This check must happen for every request, regardless of its method or type. Reject any request that is missing a token or has an invalid token.","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"295dc9c5-3059-80de-b806-cf8396d4a0cd","parent":{"type":"block_id","block_id":"295dc9c5-3059-80c8-b3c0-d618b198ebad"},"created_time":"2025-10-23T19:13:00.000Z","last_edited_time":"2025-10-23T19:13:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"divider","divider":{},"archived":false},{"object":"block","id":"295dc9c5-3059-802c-a64e-f051ba5f2015","parent":{"type":"block_id","block_id":"295dc9c5-3059-80c8-b3c0-d618b198ebad"},"created_time":"2025-10-23T19:13:00.000Z","last_edited_time":"2025-10-23T19:13:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Use Strict SameSite cookie restrictions","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Use Strict SameSite cookie restrictions","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"295dc9c5-3059-806f-ba1c-ecf8e2106124","parent":{"type":"block_id","block_id":"295dc9c5-3059-80c8-b3c0-d618b198ebad"},"created_time":"2025-10-23T19:10:00.000Z","last_edited_time":"2025-10-23T19:10:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Also, use Strict SameSite cookie restrictions for every cookie you set. This lets you control which contexts the cookie is used in. The ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Also, use Strict SameSite cookie restrictions for every cookie you set. This lets you control which contexts the cookie is used in. The ","href":null},{"type":"text","text":{"content":"Strict","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"Strict","href":null},{"type":"text","text":{"content":" policy is the safest. Only use ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" policy is the safest. Only use ","href":null},{"type":"text","text":{"content":"Lax","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"Lax","href":null},{"type":"text","text":{"content":" if you have a specific need, and avoid ","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" if you have a specific need, and avoid ","href":null},{"type":"text","text":{"content":"SameSite=None","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":true,"color":"default"},"plain_text":"SameSite=None","href":null},{"type":"text","text":{"content":" unless you understand the security risks.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":" unless you understand the security risks.","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"295dc9c5-3059-801d-81c6-c2295b72bf32","parent":{"type":"block_id","block_id":"295dc9c5-3059-80c8-b3c0-d618b198ebad"},"created_time":"2025-10-23T19:13:00.000Z","last_edited_time":"2025-10-23T19:13:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"divider","divider":{},"archived":false},{"object":"block","id":"295dc9c5-3059-80e9-be07-ff4f62304074","parent":{"type":"block_id","block_id":"295dc9c5-3059-80c8-b3c0-d618b198ebad"},"created_time":"2025-10-23T19:13:00.000Z","last_edited_time":"2025-10-23T19:13:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Be wary of cross-origin, same-site attacks","link":null},"annotations":{"bold":true,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Be wary of cross-origin, same-site attacks","href":null}],"icon":null,"color":"default"},"archived":false},{"object":"block","id":"295dc9c5-3059-803d-99ab-e69cf1c98e78","parent":{"type":"block_id","block_id":"295dc9c5-3059-80c8-b3c0-d618b198ebad"},"created_time":"2025-10-23T19:10:00.000Z","last_edited_time":"2025-10-23T19:10:00.000Z","created_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"last_edited_by":{"object":"user","id":"4c79aa7e-a0ef-4194-b620-c86d82580555"},"has_children":false,"in_trash":false,"type":"paragraph","paragraph":{"rich_text":[{"type":"text","text":{"content":"Be aware that SameSite restrictions do not protect against cross-origin attacks that happen on the same site. If you can, put unsafe content like user-uploaded files on a different site from your sensitive functions and data. When testing, check all parts of the same site, including its related domains.","link":null},"annotations":{"bold":false,"italic":false,"strikethrough":false,"underline":false,"code":false,"color":"default"},"plain_text":"Be aware that SameSite restrictions do not protect against cross-origin attacks that happen on the same site. If you can, put unsafe content like user-uploaded files on a different site from your sensitive functions and data. When testing, check all parts of the same site, including its related domains.","href":null}],"icon":null,"color":"default"},"archived":false}]}],"title":"Cross-site request forgery (CSRF)"}]