More

talkin · 2026-01-23T07:37:12 1769153832

“Intuitive!”

talkin · 2025-12-25T11:43:25 1766663005

NO. Please don’t spread wrong solutions.

Your attempt has similarities to the idea behind Checking Sec-Fetch-Site. Implementing that header is the same amount of work. But this header is exactly meant for this purpose, and referer is haunted with problems.

So for officially intended protections, implementing this header and samesite cookies gets you a very long way without any complexity, assumptions, or tricks of old lore.

NorwegianDude · 2025-12-25T13:34:46 1766669686

It's not a wrong solution. It's been commonly used since forever, tens of years before the sec-fetch-site header existed, and it stops CSRF. Sec-fetch-site is not supported in old browsers, so relying on that is unsafe without any fallbacks.

talkin · 2025-06-26T06:51:24 1750920684

No. The Regex DoS class of bugs is about infinite backtracking or looping inside the regex engine. Completely isolated component, just hogging CPU inside the regex engine. It may also have ‘DoS’ in its name, but there’s no relation to network (D)DoS attacks.

It could still be a security error, but only if all availability errors are for that project. But after triage, the outcome is almost always “user can hang own browser on input which isn’t likely”. And yes, it’s a pity I wrote ‘almost’, which means having to check 99% false alarms.

talkin · 2025-06-19T14:02:49 1750341769

Backup/restore tends too look less important until it isn’t. ;)

talkin · 2025-06-16T21:37:25 1750109845

Interferes with the business model. ;)

talkin · 2025-02-12T22:03:55 1739397835

> Well, I don't think most folks could name a CEO of another car company.

Yup, and I don’t care. I liked the brand better without the drama queen.

talkin · 2025-02-07T11:50:44 1738929044

Spreading the message inside FB helps the mission. The people who already stopped don’t need to be convinced anymore. ;)

But sure, ironic and counterintuitive.

talkin · on Jan 5, 2025

Nobody said you shouldn’t do any due diligence. But 1 sprint vs 2 months of review really smells like ‘processes over people’. ;)

normie3000 · on Jan 5, 2025

A more positive view would be that the security team may have had different priorities to the product team.

robertlagrant · on Jan 6, 2025

Two months of review after the work would be a lot more useful than before.

talkin · on Nov 26, 2024

All true, but lets be honest: For the technical users searching a library, nothing beats having The Keyword being part of the name.

talkin · on Nov 15, 2024

Yes. Just like the Log4j issue root cause. Too powerful and abstract features to wield securely.

Or maybe if we keep intent out of it; features were added in a time when we all worried less about security and internet implications. I would like to say ‘in the security dark ages’ but we are probably still in that era. ;)