Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

One nice thing about this approach is that it also protects GET requests, which in many cases are impossible to protect with CSRF tokens. CSRF protection for GET requests is considered less crucial, because correctly designed GETs can not change state of resources, so can not perform any sensitive action. But GETs can leak sensitive information, like for example the fact that the user is logged into certain services. With same-site attribute this problem should be solved.


Yes, in rare cases other windows leak status codes e.g. timing attack on location.history.

Other than this, this feature is a bad idea and shouldn't be implemented. Neither fixes any unsolved problem, nor does it gracefully.


I thought that an attacker's JS code can't read the response from a GET request in a CSRF attack. Or are you saying it's possible for the attacker to read the HTTP status code of the response?


I think you're correct here. Also, like POST-based CSRF, get-based CSRF is also a solved problem (issue a param in the URL)


Gets are protected by the same origin policy, no?


Get content is protected, but error status is not. For example a site can check if an image that is shown only to logged users of some other site loads successfully (this leaks if a user is logged).




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: