Message from JavaScript discussions
January 2018
— A simple img tag can attack your app from any website if you only use cookies
Your browser will happily send the cookie along with any request from any site, to your app's server
— Maybe yes, but it doesnt send expiration time
— Not sure what you mean, if it's in cookies it gets sent
— Whereas localstorage isn't sent automatically and has to be used by your scripts
— So if I receive a csrf I take the token and blacklist it
— Yeah, you can detect CSRF attempts sometimes. If your server gets the jwt for example, but not any other tokens like CSRF tokens, then the server can know that something is wrong and blacklist that jwt
— img tag should be injected somehow first, right? to steal cookie
— No
— Attacker will never need to ever see or steal it
— CSRF relies on the fact that the browser auto-sends the cookie, so the attacker must simply direct the browser to make a request to your site
— Oh yes, forgot