Why SetCookie’s SameSite directive applies the destination rather than the origin?

I understand that the SameSite directive tries to protect against cross-origin leakages and CSRFs (see OWASP), but I don’t get why (on my browser at least) it applies to the cookie’s destination rather than on the client’s origin. As a consequence of that choice, it is impossible to benefit from SameSite protection in legitimate cross-origin scenarios.

Let’s say I host some API on https://API and some front-end application on https://FRONT:

    +----------+                                                  +----------+     | FRONT    |                                                  | API      |     |----------|                                                  |----------|     |          |                                                  |          |     |        1 +---------------OPTIONS-/login--------------------->          |     |          |                                                  |          |     |          <----------200--Allow-Origin:-FRONT----------------+ 2        |     |          |                                                  |          |     |        3 ----------------POST-/login------------------------|          |     |          |                                                  |          |     |          <-------201-Set-Cookie:-AccessToken:-sk_123--------+ 4        |     |          |                       HttpOnly;Secure;           |          |     |          |                       SameSite: Strict           |          |     |          |                                                  |          |     |        5 +---------------POST-/protected-------------------->          |     |          |                                                  |          |     |          <----------------403-Forbidden---------------------+ 6        |     +----------+                                                  +----------+ 

In this scenario, my user-agent just ignores the Set-Cookie directive (4). But since the Set-Cookie directive took place while the client was on FRONT, I would have expected it to work. I thought “SameSite” cookie meant “The client was on the same site when the cookie was set and when the cross-origin request was made” which makes a lot of sense from the user’s perspective. But it rather means “The cookie was set on the same site it’s being requested from”. Consequently, in this scenario, you have to set SameSite value to None (otherwise, it’s just dropped) and fallback to the good old “manual” CSRF protection mechanism.

My question is: is there any upside of the current implementation of the SameSite directive from a security standpoint? Would a UA that had implemented the SameSite directive the way I thought it worked be vulnerable to some kind of attacks? Is there any chance that we see some kind of Strict+SameOrigin value for SameSite directive someday?


Nessus detect more open ports than nmap

I scan my site via namp , I only see 3 ports open.

nmap -sV {ip}                                                               Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-25 09:42 EST                                     Nmap scan report for {ip}                                                                Host is up (0.023s latency).                                                                        Not shown: 997 filtered ports                                                                       PORT    STATE  SERVICE VERSION                                                                      22/tcp  open   ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0)              80/tcp  open   http    nginx                                                                        443/tcp closed https                                                                                Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel                                              Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .      Nmap done: 1 IP address (1 host up) scanned in 11.72 seconds   

When I scan that same IP on Nessus, I see


Port 2052/tcp was found to be open Port    Hosts 2052 / tcp / www     www.my-site.com Port 2053/tcp was found to be open Port    Hosts 2053 / tcp / www     www.my-site.com Port 2082/tcp was found to be open Port    Hosts 2082 / tcp / www     www.my-site.com Port 2083/tcp was found to be open Port    Hosts 2083 / tcp / www     www.my-site.com Port 2086/tcp was found to be open Port    Hosts 2086 / tcp / www     www.my-site.com Port 2087/tcp was found to be open Port    Hosts 2087 / tcp / www     www.my-site.com Port 2095/tcp was found to be open Port    Hosts 2095 / tcp / www     www.my-site.com Port 2096/tcp was found to be open Port    Hosts 2096 / tcp / www     www.my-site.com Port 443/tcp was found to be open Port    Hosts 443 / tcp / www  www.my-site.com Port 80/tcp was found to be open Port    Hosts 80 / tcp / www   www.my-site.com Port 8080/tcp was found to be open Port    Hosts 8080 / tcp / www     www.my-site.com Port 8443/tcp was found to be open Port    Hosts 8443 / tcp / www     www.my-site.com Port 8880/tcp was found to be open Port    Hosts 8880 / tcp / www     www.my-site.com 

Why they’re different? Are they hidden ports?

What nmap commands should I use to same amount of port listed from Nessus ?

Is there a option to protect a USB stick from being infected other than flash drives with hardware protection?

I would like to protect my flash drives to being infected when I put it in another computers or devices. After some research, I found that I will not be able to reach this level of protection by using only software solutions (correct me if I’m wrong).

However, I don’t have a flash drive with hardware protection and my only way to get one is importing (it will not be cheap). I also found that SD card’s switches against writing is not in a hardware-level, so I kinda have to trust that a potentially infected computer will respect it, which is not a good idea.

So, my question is: is there a trustful way (using USB) to put my files into another computer without my USB stick (flash drive or SD card) being infected?

Can any tools/tactics produce a higher confidence in a clean system than Microsoft Security Scanner?

In the process of trying to recover data in bulk from what I assumed was a failing hard drive, Windows Security kindly notified me it had found a handful of malicious items among the recovered files. I immediately nuked that secondary drive, but for a few items it reported either “Remediation Failed” or “Item removed or restored from quarantine”.

I did a full scan, then an offline scan, and a full scan in safe mode with Security Scanner, all of which found nothing. I have not seen any symptoms that match the items it detected, and have read that those two concerning reports are a common artifact of manually deleting items it found.

My finger is hovering over the “nuke it from orbit” button anyway, but for now I think this an interesting question: Obviously nothing can guarantee it, but what tools, techniques, or combinations thereof that can produce a higher confidence than just running Microsoft’s tools in sequence? Perhaps some combination of tools run on a Linux CD/USB?

Can I benefit from more than one celerity effect in the same round?

  • Assuming I’m immune to daze (quick recovery feat let’s say)
  • I resist it after doing my standard action acquired via celerity that I just cast (at the end of my turn so using the swift action from next turn)
  • If I have a contingency(celerity) with the condition: If I resist the daze effect directly after using celerity and there’s still a threat around me: activate (or just if I resist the daze effect directly after casting celerity: activate if the threat criteria is too vague for the DM, could waste it this way but oh well it’s already OP as it is).

    • That would give me another standard action right?
  • The immediate action (swift action of next round) is casting the spell celerity (wich would had been used in advance with contingency) not having the actual benefit from it right (standard action)? and contingency(Celerity) should work Am-I right?

  • I know about contingent items with celerity loops, but is that
    really legal? I would ban this of course, but I guess I would allow two celerity benefits in one round if the contingency was well prepared in advance.

Finding Your Competitors Facebook Ads Is Easier Than You Think

If you’re intimidated about doing market research, don’t be. It’s significantly easier than you think it is, that we’ll promise. Thanks to the election scandal, Facebook has purposed to be more transparent when it comes to ads and customer data. And this means that they have given us a powerful tool in that we can now click through competitors' ads in less time than it takes to ask if it's possible. The first step is to navigate to your competitor's Facebook page. You’ll see a button on the…

Finding Your Competitors Facebook Ads Is Easier Than You Think