Oh please don't let this be true. I think it's more being suggested as a temporary fix until browsers are patched but... uuuuugh.https://twitter.com/wycats/status/948812652997885952 …
You can add location information to your Tweets, such as your city or precise location, from the web and via third-party applications. You always have the option to delete your Tweet location history. Learn more
I really hope so. Otherwise, all CSRF mitigation assumptions are invalidated.
Right. I can't even start to think of the level of fundamental redesign web security and interlinking would need to undergo.
fwiw, the Flashpocalypse 5 or so years back had a pretty wide ranging impact on CSRF (turned out you couldn't rely on custom headers meaning same-origin anymore), but that still didn't break GET assumptions.
It would turn the web into a world where every private resource URL has to be un-guessable ahead of time and never shared. Almost reminds me of the PHP session-id-in-the-url madness.
As far as I can tell, the linked page seems not to contain the cited text anymore. Either I'm mistaken or they edited it out.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.