Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Web security updates #98

Merged
merged 1 commit into from
Sep 15, 2024
Merged

Web security updates #98

merged 1 commit into from
Sep 15, 2024

Conversation

julien-piet
Copy link
Contributor

  • Added phishing
  • Added a discussion about cookie policies versus SOP
  • Added a CSRF defense
  • Fixed typos

@julien-piet
Web security updates:
e0c3f0a 
* Added phishing
* Added a discussion about cookie policies versus SOP
* Added a CSRF defense
* Fixed typos
@ashmchiu
Copy link
Contributor

linking for awareness - issue #19

davidwagner
davidwagner reviewed Sep 15, 2024
View reviewed changes
web/csrf.md

## 21.4. Defense: SameSite Cookie Attribute

A last way to defend against CSRF attacks is to add a flag to cookies that specifies it should be sent only when the domain of the cookie exactly matches the domain of the origin. For example, with this flag, if `evil.com` causes the browser to make a request to `bank.com`, cookies for `bank.com` will not be sent if because the origin domain (`evil.com`) and cookie domain (`bank.com`) are different. Unfortunately, this browser-side defense is not implemented on all browsers, thus is usually only used as a defense-in-depth strategy.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

SameSite actually works with "sites" which are coarser than origins. For instance, usercontent.berkeley.edu can attack www.berkeley.edu. But maybe that's unimportant in this context.

@davidwagner davidwagner merged commit afb05ad into main Sep 15, 2024
1 check passed
@davidwagner davidwagner deleted the web branch September 15, 2024 01:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@davidwagner davidwagner davidwagner approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@julien-piet @ashmchiu @davidwagner