search

w3ctag / capability-urls

Work on good practices for the use of capability URLs
http://w3ctag.github.io/capability-urls/
33 stars 17 forks source link

Capability urls recommanded by Chromium in light of Meltdown/Spectre #11

Open DavidBruant opened 6 years ago

DavidBruant commented 6 years ago

Don’t serve user-specific or sensitive content from URLs that attackers can predict or easily learn. (...) Use anti-CSRF tokens or random URLs to break this kind of attack.

https://sites.google.com/a/chromium.org/dev/Home/chromium-security/ssca

It might be worth mentioning this somewhere

annevk commented 6 years ago

It's hard to reconcile that recommendation with user habits of sharing URLs with friends though. As this would require handing a different URL to a friend than you found in the address bar.

DavidBruant commented 6 years ago

I'm not sure i understand, are you answering to this issue specifically or to the general idea of capability url?

prebenlm commented 6 years ago

Note that Google have now removed that recommendation from its page.

A comment was given here: https://twitter.com/fugueish/status/949025331234533376

Not sure if this changes anything as for the proposal, but I discovered it and thought I would let you know