Thanks for the response. As a second question, would what prevent someone with an "approved" apple device from firing off a bunch of token requests and then distributing those tokens to different entities for those entities to submit to the origin to pass the validation test?
Good to know. And the rate limits themselves have to apply to user agents in the old style, right? Because there is no identifying information apart from current browser fingerprinting methods. If abused, do we foresee captchas having to be placed as a guard against attlestation abuse?
