@sirdarckcat with service workers, why not add tokens in headers as the csrf protection? Or are you talking about csrf'ing the sw?
-
-
Replying to @sirdarckcat
@sirdarckcat hmm..I could have sworn that the request object had a property that could help mitigate CC@slightlylate@jaffathecake1 reply 0 retweets 0 likes -
Replying to @frgx
@frgx@slightlylate@jaffathecake yes it does. Referrer1 reply 0 retweets 0 likes -
Replying to @sirdarckcat
@sirdarckcat what about the case where the attacker controlled page blocks the referrer via referrer policy?@slightlylate@jaffathecake1 reply 0 retweets 0 likes -
Replying to @frgx
@frgx@sirdarckcat@jaffathecake : in these cases the URL is still wrong, no? I guess XSS mitigation should now include "flush caches".1 reply 0 retweets 0 likes -
Replying to @slightlylate
@slightlylate@frgx@jaffathecake yes, if the referrer isn't present, then the CSRF check fails too3 replies 0 retweets 0 likes -
Replying to @sirdarckcat
@sirdarckcat@slightlylate@jaffathecake I guess I have use cases that restrict referrer X-origin, but also want to have CSRF protection1 reply 0 retweets 0 likes -
Replying to @frgx
@frgx@slightlylate@jaffathecake ah I see. Well, then your SW needs to build its own CSRF tokens1 reply 0 retweets 0 likes -
Replying to @sirdarckcat
@sirdarckcat@slightlylate@jaffathecake yeah, I had thought sw could just be told the origin chain of the request or something1 reply 0 retweets 0 likes
@frgx @sirdarckcat @jaffathecake : SWs only see navigations to their registered origins/scopes or sub-requests from docs that result.
-
-
Replying to @slightlylate
@slightlylate@frgx@jaffathecake so, Dev is talking about CSRF and I think you are talking about the redirect?0 replies 0 retweets 0 likesThanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.
& Web Standards TL; Blink API OWNER
Named PWAs w/
DMs open. Tweets my own; press@google.com for official comms.