Programmer Humor

31998 readers

947 users here now

Post funny things about programming here! (Or just rant about your favourite programming language.)

Rules:

Posts must be relevant to programming, programmers, or computer science.
No NSFW content.
Jokes must be in good taste. No hate speech, bigotry, etc.

founded 5 years ago

MODERATORS

[email protected]

249

SPAs were a mistake (lemmy.world)

submitted 9 months ago by [email protected] to c/[email protected]

23 comments fedilink hide all child comments

you are viewing a single comment's thread
view the rest of the comments

[–] [email protected] 52 points 9 months ago (7 children)

...so allow...either?

What's so hard about checking two headers (Authorization: and Cookie:) for the authtoken?

[–] [email protected] 33 points 9 months ago (6 children)

It's a security thing. The HttpOnly cookie can't be stolen using XSS or something like that, while a bearer token must be stored somewhere where javascript can see it.

[–] [email protected] 25 points 9 months ago

Then again, cookie auth is vulnerable to CSRF. Pick your poison.

Although CSRF protection just adds a minor inconvenience, while there is never a guarantee your code is XSS vulnerability free.

load more comments (5 replies)