To state the obvious, you cannot use CSRF tokens in URLs and also have those links work as normal links from other web sites.
-
Show this thread
-
This means that using the same URL for multiple logged-in users becomes a no-no. Again, to state the obvious, this means that I can't share the same URL for a tweet with you if that URL displays personalized content for logged in users.
5 replies 12 retweets 45 likesShow this thread -
I might be misreading what Google is saying here, but this seems like a significant implication if true.
12 replies 6 retweets 60 likesShow this thread -
Replying to @wycats
I read it the same way, and, yeah, this has enormous implications for the personalized web.
1 reply 0 retweets 4 likes -
I think rel=canonical may help mitigate some badness; I think I read recently that browsers are starting to use the canonical url when you click the share button.
1 reply 0 retweets 1 like -
Replying to @xander76
I don't see how it helps. You need a single URL to stick on social media, but you want the response to that GET to include personalized content.
2 replies 0 retweets 1 like -
Replying to @wycats
Oh yeah, you're right. I'm not thinking through the scenarios correctly, and it's been quite a while since I've thought one of these through.
1 reply 0 retweets 2 likes -
Replying to @xander76
If this thread model holds, I suspect that the only solution is to fix (on probably some kind of opt in basis) the same origin holes that allow third party sites to make these GET requests in the first place.
1 reply 0 retweets 2 likes -
Replying to @wycats
Isn't that any use of cross-site anything that might load the resource into memory? It's hard for me to imagine a functioning web where GETs of cross-site scripts, images, etc. was disallowed. Or am I misunderstanding again?
3 replies 0 retweets 0 likes -
And it was pointed out to me that many sites (ex: FB) have authenticated pages designed to be iframed like share embeds. And those inherently need the cookies.
1 reply 0 retweets 2 likes
Right. This is why we can't just "close the hole".
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.