pilcrowonpaper
commented
4 months ago That's still 4% of users not protected, and as mentioned in the book, SameSite doesn't protect you from cross-origin request forgery
Open mahmoud opened 4 months ago
pilcrowonpaper
commented
4 months ago That's still 4% of users not protected, and as mentioned in the book, SameSite doesn't protect you from cross-origin request forgery
mahmoud
commented
4 months ago Well, that's a very shallow reading of the 96%+. What it means is 100% of Chrome, Safari, Firefox, etc., are protected. And 100% of Opera Mini, Baidu Browser, etc., aren't protected.
Realistically, many sites won't work with those browsers for a variety of other reasons, including limiting the target market. For instance, I'm certainly not building a product for the Chinese market, so I need not worry about QQ and Baidu browser.
As for the second part, maybe some clarification is necessary: Are you recommending that CSRF tokens be implemented as the primary line of defense to prevent CORS attacks as well? If so, maybe this could be clearer in the CSRF doc.
pilcrowonpaper
commented
4 months ago No, cross-origin request forgery is not CORS. It’s a (admittedly rare) attack where an attacker gets hold of one of your subdomains.
pilcrowonpaper
commented
4 months ago I’m not really sure the different between tracked and all-users on caniuse but even if the number is 99% or 99.5%, that’s still 1/100~1/200 users not protected. Of course that might be something you’re fine with (alongside the cross origin stuff) and we could probably mention it, but I’m not sure what issue you have with our general recommendation
Hey, really loving the book! I did notice on section that seemed a bit out of date.
Similar to #12, CSRF can be mitigated on 96%+ of browsers by using a dual cookie method described here.
The current page reads:
I suggest updating this to be in line with the changes in #15, and ideally linking citations.