jmanico
commented
2 months ago Would you care to PR this? Keep in mind this would break sites where authenticated users would need to visit different subdomains.
Closed ljrk0 closed 2 months ago
jmanico
commented
2 months ago Would you care to PR this? Keep in mind this would break sites where authenticated users would need to visit different subdomains.
ljrk0
commented
2 months ago Sure, can do! In that case, maybe we should also re-phrase the current text about __Host- which IMHO is a bit unclear:
Another solution for this problem [...]
It's not completely obvious to me what "this problem" is referring to.
Additionally, I wouldn't call this as "another solution" as this sounds too much like an alternative. Especially with older clients is crucial to not see this as an alternative to existing In-Depth measures but as an extension/addition.
I'll draft something and we can iterate on that!
ljrk0
commented
2 months ago Fixed with #1374
What is missing or needs to be updated?
While #332 added the
__Host-prefix as per the discussion in #195, the (admittedly weaker)__Secure-prefix was not added to the CSRF cheat sheet, despite being mentioned in the thread: https://github.com/OWASP/CheatSheetSeries/issues/195#issuecomment-533914778How should this be resolved?
Arguably this prefix should be added as well, either as a recommendation for those cases were domain-locked
__Host-prefixes are not possible to implement, or as a warning to check whether indeed this weakened protection is actually applicable.