DEV Community

Discussion on: How to avoid Meltdown, Spectre and CSRF Attacks on Web with CORP, CORB, and CORS?

Collapse
obetomuniz profile image
Beto Muniz Author • Edited

Indeed. CORS is useful only against CSRF due to the post context. About Spectre and Meltdown not be effective through the browsers, I could not agree 100%, since just recently (2 weeks ago) Firefox released Site Isolation in a solid response for such attacks. Still, thinking about thousands of users using outdated or old browsers, create a barrier in your application is a must-have recommendation to ensure an extra layer of security until old or outdated browsers are in use. So don't ignore such features if you can.

Collapse
cubiclesocial profile image
cubiclesocial

It's not about ignoring security features in browsers. You are attempting to correlate/associate irrelevant vulnerabilities as being able to be defended against using CORS, etc. That's simply not the case and spreads misinformation.

Thread Thread
obetomuniz profile image
Beto Muniz Author

Not sure what you are meaning about spread misinformation, but for you, CORS can't be used to defend against CSRF attacks? CORP/CORB can't be used against Spectre/Meltdown attacks? I would love to know where you're studying because my references say exactly the opposite.

Thread Thread
obetomuniz profile image
Beto Muniz Author