| HN Mirror

Y	Hacker News new \| ask \| show \| jobs

by jkrejcha 7 days ago

> - HttpOnly fights XSS which is impossible to execute with modern frontend frameworks.

Eh. Frontend frameworks tend to make successful XSS much worse because they tend to require disabling HttpOnly for not very good reasons. HttpOnly is a nice defense in depth measure against the consequences of XSS.

> - SameSite fights CSRF but the real solution is to disable loading the website in iframes (remember clickjacking?).

Disabling iframes doesn't fix CSRF. You can still <form method="..." /> or <img /> tags or whatever. For an example, see these universal logout pages. SameSite helps with CSRF (you really should also using CSRF tokens as the primary control and maybe using the Sec-Fetch-X headers as well).

1 comments

szmarczak 6 days ago

> they tend to require disabling HttpOnly for not very good reasons

First time I'm hearing that frameworks require disabling HttpOnly.

> Disabling iframes doesn't fix CSRF. You can still <form method="..." /> or <img /> tags or whatever.

Obviously. IMG tags don't work because of CORS (unless you explicitly allow this) nor script tags etc. Browsers send Origin and Sec-Fetch- headers which you can use to block POST navigation requests from other origins, like you mentioned.

But when you're using tokens in JavaScript then you don't have to worry because you already have your CSRF token, which is inaccessible to third parties and no form submit will include it. That's why local storage is more secure.

link

jkrejcha 5 days ago

> First time I'm hearing that frameworks require disabling HttpOnly.

They effectively do in the case where you're using local storage because they need to grab the session token from somewhere. The thing about HttpOnly is that JS code never even gets to see the session token. Which is a mitigation for a whole class of vulnerabilities.

> ...CSRF

You have to mitigate CSRF server-side (with a CSRF token, checking the Sec-Fetch-* headers) or by using SameSite on the client side (ideally both)

There's a reason "don't use local storage for security sensitive stuff" is part of the OWASP cheatsheet[1]

[1]: https://cheatsheetseries.owasp.org/cheatsheets/HTML5_Securit...

link

szmarczak 4 days ago

> There's a reason "don't use local storage for security sensitive stuff" is part of the OWASP cheatsheet

Local storage was released more than 16 years ago, and back then PHP was wayy too popular. XSS is almost impossible to execute these days (unless you do selfxss).

Discord has mitigations for grabbing the token from local storage: https://news.ycombinator.com/item?id=48563286

link

szmarczak 5 days ago

> You have to mitigate CSRF server-side (with a CSRF token

> when you're using tokens in JavaScript then you don't have to worry because you already have your CSRF token

No reason to have a dedicated CSRF token because your local storage token already works as a CSRF token.

link