Google (finally) adds protection for common Web 2.0 attack
Google has beefed up the security of Gmail and its other services by adding a feature to login pages that blocks one of the more common forms of web attacks. The upgrade is designed to protect against CSRF, or cross-site request forgery, attacks. The technique subverts basic website defenses by exploiting the often-misplaced …
This topic is closed for new posts.
per page tokens are very annoying
Most website didn't adopt this measure because it produces tons of false positives. Clicking the back button on your browser, double clicking a button under certain conditions, hitting refresh and so on, will trigger this protection. It's a great thing on banking websites, but very annoying on general purpose websites. Per page tokens should be a last resort measure.
Web 2.0?
What exactly makes CSRF exclusively a 'Web 2.0' vulnerability?
@nickrw
"What exactly makes CSRF exclusively a 'Web 2.0' vulnerability?"
Marketing.
Did this Break gmail?
I haven't had any spam all day. What's happened?
@pitagora
"Per page tokens should be a last resort measure."
Personally I only use token-checking against non-idempotent requests. That _seems_ to work ...
This topic is closed for new posts.
