Some thoughts about a CSRF tokens and CRIME/BREACH/... alike attacks:
-
Show this thread
-
this only works because the CSRF token is always the same on multiple page loads. so what about having a secret key on the server per session, and the token is random+hash(random+csrfkey). verify is hash(firsthalf+csrfkey)==secondhalf.
2 replies 0 retweets 3 likesShow this thread -
a) is this a good idea? b) has anyone else already invented this?
3 replies 0 retweets 0 likesShow this thread -
we can also fix it with samesite cookies. are samesite cookies the overall solution to all CSRF now? do we even need csrf tokens any more?
5 replies 0 retweets 0 likesShow this thread -
Replying to @hanno
do you even need samesite for that? I'd kinda expect the Origin header to provide enough protection already, but haven't thought about this a lot
3 replies 0 retweets 0 likes -
It would be (and would solve csrf elegantly), if implemented accd to https://tools.ietf.org/id/draft-abarth-origin-03.html#rfc.section.5 … - but it's not, and it's simply not sent at all for important requests.
1 reply 1 retweet 2 likes -
Replying to @kkotowicz @hanno
are you only talking about missing Origin in non-fetch GET requests, or did browsers also mess up the logic around redirects, or something like that?
1 reply 0 retweets 0 likes -
I believe form post would also not carry origin? It was really messed up last I looked at it.
1 reply 0 retweets 1 like
Chrome and Firefox at least seem to send it on same-origin form post...
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.