Cross-Site Request Forgery countermeasures can be greatly simplified using request metadata provided by modern browsers.| words.filippo.io
1. Introduction| wicg.github.io
Include Security's latest blog post covers Cross-Site WebSocket Hijacking and how modern browser security features do (or don't) protect users. We discuss Total Cookie Protection in Firefox, Private Network Access in Chrome, and review the SameSite attribute's role in CSWH attacks. The post includes a few brief case studies based on situations encountered during real world testing, in addition to a simple test site that can be hosted by readers to explore each of the vulnerability conditions.| Include Security Research Blog
DNS rebinding explained| www.gabriel.urdhr.fr
TL;DR ¶ In this post, I investigate why developers struggle with CORS and I derive Fearless CORS, a design philosophy for better CORS middleware libraries, which comprises the following twelve principles: Optimise for readability Strive for a simple and cohesive API Provide support for Private Network Access Categorise requests correctly Validate configuration and fail fast Treat CORS as a compilation target Provide no default configuration Do not preclude legitimate configurations Ease trou...| jub0bs.com
1. Introduction| wicg.github.io
HTML| html.spec.whatwg.org