[Service Workers] New APIs = New Vulns = Fun++ https://sirdarckcat.blogspot.com/2015/05/service-workers-new-apis-new-vulns-fun.html …
-
-
Replying to @sirdarckcat
@sirdarckcat with service workers, why not add tokens in headers as the csrf protection? Or are you talking about csrf'ing the sw?1 reply 0 retweets 0 likes -
Replying to @sirdarckcat
@sirdarckcat hmm..I could have sworn that the request object had a property that could help mitigate CC@slightlylate@jaffathecake1 reply 0 retweets 0 likes -
Replying to @frgx
@frgx@slightlylate@jaffathecake yes it does. Referrer1 reply 0 retweets 0 likes -
Replying to @sirdarckcat
@sirdarckcat what about the case where the attacker controlled page blocks the referrer via referrer policy?@slightlylate@jaffathecake1 reply 0 retweets 0 likes -
Replying to @frgx
@frgx@sirdarckcat@jaffathecake : in these cases the URL is still wrong, no? I guess XSS mitigation should now include "flush caches".1 reply 0 retweets 0 likes -
Replying to @slightlylate
@slightlylate@frgx@jaffathecake yes, if the referrer isn't present, then the CSRF check fails too3 replies 0 retweets 0 likes -
Replying to @sirdarckcat
@sirdarckcat@frgx@jaffathecake : the attack needs CORS set on the content to display, which'd allow XHR from page to do same2 replies 0 retweets 0 likes
@sirdarckcat @frgx @jaffathecake : regarding XSRF, will think harder on it. You make a good point: cache exp is up to app for better/worse
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.
& Web Standards TL; Blink API OWNER
Named PWAs w/
DMs open. Tweets my own; press@google.com for official comms.