top | item 19853750

(no title)

34r45sdg | 6 years ago

Is this another way for Google to prevent you from clearing their cookies via the 'Clear Cookies' option?

Its a step in the right direction with enforcing SameSite cookie scoping, but we must be cautious that Google doesn't use this to force you to always be logged in. Google has a long way to go to rebuild trust after that last browser login debacle. I don't trust em.

discuss

jakub_g|6 years ago

It's a way to fix one of the biggest security mistakes of the web (being able to send an _authenticated_ request - i.e. with cookies - to any domain from any other domain, for example from evil.com to youremailprovider.com with the payload "delete all emails"), that was kept on by default for two decades due to backward compatibility.

For a long time it required annoying workarounds (CSRF tokens) to have this security hole mitigated, then just an opt-in flag on the cookies, but as usual, most companies don't know/care about it, so having protection by default is the natural solution (although it _will_ probably break quite a few legacy websites, but for a greater good).

incompatible|6 years ago

Does Chrome support automatically clearing cookies at shutdown yet? I seem to remember it didn't but I haven't used it recently.

Edit: I searched for it, and it seems they have added the feature, but maybe not the related feature of clearing browsing history at shutdown.

jedimastert|6 years ago

Isn't that exactly what Incognito mode does?

wheelerwj|6 years ago

google will absolutely not do anything in the name of trust and privacy as we define them because their business model is 100% about selling ads to more people.