Google has beefed up the security of Gmail and its other services by adding a feature to login pages that blocks one of the more common forms of web attacks. The upgrade is designed to protect against CSRF, or cross-site request forgery, attacks. The technique subverts basic website defenses by exploiting the often-misplaced …
per page tokens are very annoying
Most website didn't adopt this measure because it produces tons of false positives. Clicking the back button on your browser, double clicking a button under certain conditions, hitting refresh and so on, will trigger this protection. It's a great thing on banking websites, but very annoying on general purpose websites. Per page tokens should be a last resort measure.
What exactly makes CSRF exclusively a 'Web 2.0' vulnerability?
"What exactly makes CSRF exclusively a 'Web 2.0' vulnerability?"
Did this Break gmail?
I haven't had any spam all day. What's happened?
Coffee, keyboard, you know the drill....
"Per page tokens should be a last resort measure."
Personally I only use token-checking against non-idempotent requests. That _seems_ to work ...
- Vid Google opens Inbox – email for people too thick to handle email
- RUMPY PUMPY: Bone says humans BONED Neanderthals 50,000 years B.C.
- Pic Forget the $2499 5K iMac – today we reveal Apple's most expensive computer to date
- Geek's Guide to Britain Kingston's aviation empire: From industry firsts to Airfix heroes
- Is your home or office internet gateway one of '1.2 MILLION' wide open to hijacking?