Comment Re:Computer systems need security audits. (Score 1) 143
CookieSafe, NoScript and the protection Opera has
against CSRF - this is a big mess.
NoScript might save you from some POST malicious requests.
CookieSafe is similar to the Opera protection but did not work in my Iceweasel, only in Firefox it seemed to work.
The Opera "Only send cookies to the site I visit" (which is named badly because what it does is different) on the other hand protects you from embedded images doing CSRF, but not from a CSRF by submitting a form (by hand or JS).
So all these things to different things to protect you. We would need *all* three. Opera even says browser vendors are not responsible at all (I submitted a bug report), web developers are. But at the same time doing a "lightweight" protection.
So as long as even browser vendors are not sure what is necessary to avoid CSRF the only thing left is make your webapps save and as a customer just be careful...
NoScript might save you from some POST malicious requests.
CookieSafe is similar to the Opera protection but did not work in my Iceweasel, only in Firefox it seemed to work.
The Opera "Only send cookies to the site I visit" (which is named badly because what it does is different) on the other hand protects you from embedded images doing CSRF, but not from a CSRF by submitting a form (by hand or JS).
So all these things to different things to protect you. We would need *all* three. Opera even says browser vendors are not responsible at all (I submitted a bug report), web developers are. But at the same time doing a "lightweight" protection.
So as long as even browser vendors are not sure what is necessary to avoid CSRF the only thing left is make your webapps save and as a customer just be careful...
