Simon Willison’s Weblog

Subscribe

Entries tagged csrf

Filters: Type: entry × csrf × Sorted by date


Exploring the SameSite cookie attribute for preventing CSRF

In reading Yan Zhu’s excellent write-up of the JSON CSRF vulnerability she found in OkCupid one thing puzzled me: I was under the impression that browsers these days default to treating cookies as SameSite=Lax, so I would expect attacks like the one Yan described not to work in modern browsers.

[... 2168 words]

9:09 pm / 3rd August 2021 / cookies, csrf, security

Datasette 0.58: The annotated release notes

I released Datasette 0.58 last night, with new plugin hooks, Unix domain socket support, a major faceting performance fix and a few other improvements. Here are the annotated release notes.

[... 1062 words]

2:21 am / 16th July 2021 / csrf, releasenotes, sqlite, datasette, annotatedreleasenotes, drichardhipp

Weeknotes: sqlite-utils updates, Datasette and asgi-csrf, open-sourcing VIAL

Some work on sqlite-utils, asgi-csrf, a Datasette alpha and we open-sourced VIAL.

[... 662 words]

5:23 pm / 28th June 2021 / csrf, datasette, asgi, weeknotes, sqliteutils, vaccinateca

Weeknotes: Rocky Beaches, Datasette 0.48, a commit history of my database

This week I helped Natalie launch Rocky Beaches, shipped Datasette 0.48 and several releases of datasette-graphql, upgraded the CSRF protection for datasette-upload-csvs and figured out how to get a commit log of changes to my blog by backing up its database to a GitHub repository.

[... 1294 words]

12:52 am / 21st August 2020 / csrf, databases, git, github, nataliedowne, projects, graphql, datasette, weeknotes

Weeknotes, I guess

What a week. Hard to work up the enthusiasm to write about what I’ve been working on.

[... 314 words]

11:54 pm / 4th June 2020 / csrf, datasette, weeknotes

Weeknotes: datasette-ics, datasette-upload-csvs, datasette-configure-fts, asgi-csrf

I’ve been preparing for the NICAR 2020 Data Journalism conference this week which has lead me into a flurry of activity across a plethora of different projects and plugins.

[... 834 words]

2:27 am / 4th March 2020 / csrf, datajournalism, ical, plugins, projects, search, security, datasette, asgi, weeknotes, datasettecloud

Why do some people disable JavaScript in their browser?

For security reasons.

[... 159 words]

1:37 pm / 25th August 2010 / csrf, javascript, privacy, security, xss, quora

Django ponies: Proposals for Django 1.2

I’ve decided to step up my involvement in Django development in the run-up to Django 1.2, so I’m currently going through several years worth of accumulated pony requests figuring out which ones are worth advocating for. I’m also ensuring I have the code to back them up—my innocent AutoEscaping proposal a few years ago resulted in an enormous amount of work by Malcolm and I don’t think he’d appreciate a repeat performance.

[... 1674 words]

11:32 pm / 28th September 2009 / cookies, cryptography, csrf, django, html, logging, lukeplant, markup, ponies, projects, python, security, signedcookies, signing, xhtml

Designing for a security breach

User account breaches are inevitable. We should take that in to account when designing our applications.

[... 545 words]

9:29 pm / 30th September 2007 / accounts, csrf, designingforabreach, openid, phishing, privacy, security, xss

Fighting RFCs with RFCs

Google’s recently released Web Accelerator apparently has some scary side-effects. It’s been spotted pre-loading links in password-protected applications, which can amount to clicking on every “delete this” link — bypassing even the JavaScript prompt you carefully added to give people the chance to think twice.

[... 353 words]

8:39 pm / 6th May 2005 / csrf, google, http, rfc, security, standards

Types

Years

Tags