Some thoughts about a CSRF tokens and CRIME/BREACH/... alike attacks:
do you even need samesite for that? I'd kinda expect the Origin header to provide enough protection already, but haven't thought about this a lot
-
-
It would be (and would solve csrf elegantly), if implemented accd to https://tools.ietf.org/id/draft-abarth-origin-03.html#rfc.section.5 … - but it's not, and it's simply not sent at all for important requests.
-
are you only talking about missing Origin in non-fetch GET requests, or did browsers also mess up the logic around redirects, or something like that?
- 2 more replies
New conversation -
-
-
I kinda invented something better a few years ago while building a CMS (work is still in progress) for
@TheHackersNews. I have put together the logic in the attached screenshot. Let me know if I haven't considered something.pic.twitter.com/g8GAe6dthW
-
one problem with CSRF tokens is that the renderer knows them; cookies have the nice property that you can keep them isolated in the browser process, and so an attacker who can leak arbitrary data from your renderer process still can't forge requests. this doesn't address that.
- 2 more replies
New conversation -
-
-
I wasn't even aware of this header. But I feel samesite is really the simplest solution. Set the cookie flag and you're done.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.