Attackers simply choose the method that works - and it seems app owners still need to rely on xsrf tokens, even only in Safari.
-
-
Hmm, It seems like the claim "solves cross-site request forgeries" is dangerously misleading. I get what you were trying to say John, but nobody can safely remove XSRF mitigations, so why even mention it..? It will just cause confusion, no?
1 reply 0 retweets 2 likes -
As mentioned in a sub thread, I've changed that bullet point to say "Disables cross-site request forgery attacks against websites through third-party requests."
1 reply 0 retweets 1 like -
OK, XSRF mitigations are always still required though, because any sub-resource request can be changed so that it performs a top-level navigation, and it would still be exploitable, right? So I guess my question is, don't you think it might be confusing to readers?
1 reply 0 retweets 2 likes -
I don't think so. This is how https://web.dev/samesite-cookies-explained/ … formulates it:
1 reply 0 retweets 0 likes -
Replying to @johnwilander @taviso and
"While the SameSite attribute is widely supported, it has unfortunately not been widely adopted by developers. The open default of sending cookies everywhere means all use cases work but leaves the user vulnerable to CSRF and unintentional information leakage."
2 replies 0 retweets 0 likes -
And you're saying that site is correct, there are cases where this makes a CSRF unexploitable? You might be right, but for my own education, do you have an example? My intuition is that you can always just add a navigation.
1 reply 0 retweets 0 likes -
We've made clear that we mean the third-party case in the blog post. And frankly, shouldn't we celebrate what was achieved today? I mean in terms of safety and privacy on the web. It's a huge step forward.
2 replies 0 retweets 2 likes -
Ahh.. you're not saying they're not exploitable anymore, you're saying that if a CSRF requires a navigation, then it's not a CSRF??? OK, well, I wasn't expecting that answer. I'm just trying to understand if it is safer, my intuition says it's a no-op.
1 reply 0 retweets 0 likes -
If it's a no-op, you or a coworker should change this document: https://www.chromestatus.com/feature/5088147346030592 …
1 reply 0 retweets 1 like
Sure, that does seems like it could use some clarification too!
-
-
Replying to @taviso @johnwilander and
I asked Mike about that document, they're saying that they can make form POSTs unauthenticated, that will make some CSRFs unexploitable, so that document does seem accurate. With Safari, the attack just requires modification, and it will always still be exploitable... right?
1 reply 0 retweets 0 likes -
The default will protect against navigational requests?
1 reply 0 retweets 0 likes - 4 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.