security: update CSRF security model to indicate window.context is unprivileged (!28773) · Merge requests · Warren Gifford / sourcegraph

Merged Warren Gifford requested to merge sg/doc-window-context into main 3 years ago

Created by: slimsag

Now that window.context does not even contain CSRF tokens/headers (i.e., now that we have proven those are not used in our CSRF security model) we can now update our security model doc to indicate that window.context is entirely unprivileged data.

Signed-off-by: Stephen Gutekanst stephen@sourcegraph.com

Activity

Please register or sign in to reply

security: update CSRF security model to indicate window.context is unprivileged

Merge request reports

Merged by (May 7, 2025 3:59am UTC)

Activity