client generated double submit cookie, cross site request forgery prevention
- by james
in a double-submitted cookie csrf prevention scheme, is it necessary for the server to provide the cookie?
it seems i could have javascript on the clients page generate and set a cookie "anti_csrf", then double submit that (once as a cookie, done by the browser, and once in the body of the request).
a foreign domain would not be able to read or write the "anti_csrf" cookie to include it in the body of a request.
is this secure, or am i overlooking something?