security: update CSRF security model to indicate window.context is unprivileged (!28773) · Merge requests · Warren Gifford / sourcegraph

Warren Gifford requested to merge sg/doc-window-context into main Dec 09, 2021

Created by: slimsag

Now that window.context does not even contain CSRF tokens/headers (i.e., now that we have proven those are not used in our CSRF security model) we can now update our security model doc to indicate that window.context is entirely unprivileged data.

Signed-off-by: Stephen Gutekanst [email protected]

security: update CSRF security model to indicate window.context is unprivileged

Merge request reports