I've worked on multiple CSRF mitigations in my time on the Rails security team and if GET requests are really now vulnerable to the extent that Google is suggesting using randomized URLs or CSRF tokens, this shit is about to get real.
-
-
Show this thread
-
To state the obvious, you cannot use CSRF tokens in URLs and also have those links work as normal links from other web sites.
Show this thread -
This means that using the same URL for multiple logged-in users becomes a no-no. Again, to state the obvious, this means that I can't share the same URL for a tweet with you if that URL displays personalized content for logged in users.
Show this thread -
I might be misreading what Google is saying here, but this seems like a significant implication if true.
Show this thread
End of conversation
New conversation -
-
-
I think the Chrome team is overreacting a bit. As soon as all OS patches are delivered, the problem is gone for Chrome. It is a CPU vuln and can be mitigated by the OS.
-
Only the kernel/user vuln. The userspace vuln can't be patched.
-
Damn... but still: Chrome/V8 and the other browsers should be patched instead of the whole internet.
-
Yeah. We should figure it out. Unfortunately SiteIsolation is a chrome only feature so frameworks like rails can't rely on it.
-
Hm Firefox has something similar: https://www.ghacks.net/2017/11/22/how-to-enable-first-party-isolation-in-firefox/ … In any case it needs to be activated by the user, so nobody can rely on that.
End of conversation
New conversation -
-
-
Wasn't that part of what CORS should address? Or put another way, if the client let's a random script access JSON loaded in an <img>, the client is doing shit, isn't it?
-
That was the assumption, but these are new attacks that invalidate those assumptions.
-
OK, I'm starting to getting to grips with that attack. Mozilla posted about it, too: https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/ …
-
Note that CORS was never a defense. The same-origin policy is, but it has known holes such as this that could always lead to some information exposure.
-
But now it can lead to total information disclosure. We might want to close the prerender hole in Same-Site lax mode. If someone really wants that feature, maybe we need a "actually top level nav only for real" mode.
-
Yes, it sounds pretty bad indeed. I hope
@mikewest is on it, assuming you’re referring to cookies. -
With the caveat that I'm still on vacation, and haven't followed internal threads, my understanding is that Site Isolation will be pushing prerendering into a distinct process in Chrome, which is a good mitigation for this class of attack.
-
(In fact, that might already be the case in stable, now that we're shipping PlzNavigate.
@nasko will know.)
End of conversation
New conversation -
-
-
Looks like they removed that recommendation now?
-
I would be very happy if they explained why they wrote it in the first place and then removed it.
End of conversation
New conversation -
-
-
I noticed that line is now missing from the original link. Was the threat overblown, or is it getting reported in a separate bulletin?
-
I don't know. I wish someone from Google would say what happened here :)
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.