The only reason CSRF is even possible is because the browser sends (or, well, used to send) cookies for a particular request even if that request initiated from a different site. If the browser never did that (and most people would argue that's a design flaw from the get go) CSRF attacks wouldn't even be possible. The SameSite attribute makes it so that cookies will only be sent if the request that originated them is the same origin as the origin that originally wrote the cookie.
They give 2 reasons why SameSite cookies are only considered defense in depth:
----
> Lax enforcement provides reasonable defense in depth against CSRF attacks that rely on unsafe HTTP methods (like "POST"), but does not offer a robust defense against CSRF as a general category of attack:
> 1. Attackers can still pop up new windows or trigger top-level navigations in order to create a "same-site" request (as described in section 2.1), which is only a speedbump along the road to exploitation.
> 2. Features like "<link rel='prerender'>" [prerendering] can be exploited to create "same-site" requests without the risk of user detection.
> When possible, developers should use a session management mechanism such as that described in Section 8.8.2 to mitigate the risk of CSRF more completely.
----
But that doesn't make any sense to me. I think "the robust solution" should be to just be sure that you're only performing potential sensitive actions on POST or other mutable method requests, and always setting the SameSite attribute. If that is true, there is absolutely no vulnerability if the user is using a browser from the past seven years or so. The 2 points noted in the above section would only lead to a vulnerability if you're performing a sensitive state-changing action on a GET. So rather than tell developers to implement a complicated "session management mechanism", it seems like it would make a lot more sense to just say don't perform sensitive state changes on a GET.
Am I missing something here? Do I not understand the potential attack vectors laid out in the 2 bullet points?
I don't understand your distinction at all. I may not quite grok your meaning here, but CORS is usually discussed in the context of allowing cross-origin AJAX calls.
But cross origin form posts are and have always been permitted, and are the main route by which CSRF vulnerabilities arise. Nothing on the client or server needs to be enabled to allow these form posts.
Furthermore, the approach detailed in the article simply has the server block requests if they are cross site/origin requests, so I'm not sure what the semantic difference is.
As a native English speaker who learned Russian years ago, the o/a thing never felt confusing to me, perhaps because it felt very similar to what English does. Syllables that aren't stressed tend to be pronounced faster with less of a hard sound, and that's just what the o -> a rule feels like to me.
I always felt like Russian was a pretty easy language to learn because it was so regular. Yes there are a lot of cases and declensions, but once you learn the rules, you can get like 95% of the way there, and then even the last 5% of exceptions are quite "regular exceptions", e.g. the "ogo" written -> "ova" pronounced rule.
I think this is such an important point. I know all about Bellard's main works. I actually have no idea what he looks like, I've also never seen an interview with him, and I've never read about his specific philosophies when it comes to different software engineering topics. In a world of never-ending bloviations from "influencers" and "thought leaders" it's so awesome to see a real example of true excellence.
The Turing Award is given for breakthroughs in computer science, not for "most productive programmer of all time", and it wouldn't be appropriate for Ballard.
> some US manufacturer that slipped a few thousand dollars
As if they even need to do it surreptitiously. They'd just announce it in the Oval Office with a giant gold plaque for Trump, a few million bucks for the ballroom, and agree that government purchases can be made in Trumpcoin.
> Time and time again we see that 'one size fits all' is simply not true
Do we though? It feels like we're still in the stage where we're just trying to figure out what the best solution is for grid-scale storage, but once we do figure it out, the most efficient solution will win out over all the others. Yes, there may be some regional variation (e.g. TFA mentions how pumped hydro is great but only makes sense where geography supports it), but overall it feels like the world will eventually narrow things down to a very small number of solutions.
The point I was making isn't that we are or aren't actually narrowing down our options, it is that diversity of options is important. We have artificially limited diversity in our energy ecosystem and the rapid adoption of solar/wind/etc shows that. We could have been here decades ago if we actually encouraged diversity and exploration of alternate energy instead of actively discouraging it. Now that it is impossible to hold wind/solar back they are dominating. We should learn from that and encourage exploring diverse options in storage. Luckily I don't think storage has nearly the pushback that generation has had so I think it will be easier for many options to enter and find their niche.
I use the Sperti Vitamin D sunlamp at home during the winter months. It wasn't cheap but wasn't crazy expensive either and seems to be what you want (e.g. UVB).
Well, the 'active ingredient' in these things is the bulb and a reputable brand (Philips medical) runs about 150 euros for a 100w tube with a R17d plug:
You then just need the right ballast for it and a basic timer, maybe a reflector and stand and you're in business. Getting smaller qty is going to be an issue since these suppliers tend to sell in packs of 10.
Apparently the a ballast runs about 70 euros and can power two bulbs.
I might look into it since it's down right affordable compared to the alternatives.
I think it's a pretty safe assumption that all the comments here about "normal non-self help guru celebrities don't get stalked as much" are from men. I think literally every woman who is even semi-moderately in the public eye has stories about stalkers, regular death threats and rape fantasies, etc.
Glad to hear other commenters are pushing back against this proposition that Ferris is somehow a special case, because it's a story I've heard from lots and lots of people in the public eye, regardless of their area of expertise.
reply