Weekly Web Share #1

Weekly Web Share #1

Don't let good thinking gets buried in the flowing web

From time to time, there are always articles that I read and think, 'wow, this is gold! I wish more people knew about it', but just can't find a proper way to share. Twitter might be a nice place to go to, but those links are almost always left forgotten along with other overloaded information. There should be somewhere quieter, specific to the web tech, and that can record and remember. That's when I came up with this post. I'm going to try posting my reading digests, sometimes just links, for a few weeks and see where it goes – it might end up nowhere or turn into a weekly newsletter. The content is mostly web-related, but sometimes I might wander off a bit.

1. About cross-site cookie


It's been 7 months since Chrome has enforced SameSite cookie on its v80+ browsers. Now Firefox has also introduced a similar strategy to prevent CSRF (Cross Site Request Forgery) and as part of its privacy protection strategy against trackers.

Read Firefox's new move

It's a big deal for web developers. If you aren't familiar with it and wonder why all the big fuss, here's Heroku's detailed insight regarding Chrome's SameSite attribute.


Heroku's insight

2. Deep dive into CSRF

Many people might think CORS (Cross Origin Resource Sharing) itself can prevent CSRF. It's not true. CORS prevents the request senders from reading the response, but the request is still made anyway. CSRF, unlike XSS (Cross Site Scripting), doesn't necessarily need to read the response. I highly recommend Rob Brown's article on this issue, and he's got a great example to demonstrate:


Read more

Luckily we now have some browsers safeguarding the first gate.

3. How to send a cookie with a cross-origin XMLHttpRequest from a Chrome extension


Let's face it, Chrome extension's developer documentation sucks. When I'm trying to learn the best practice by inspecting other people's extensions, permission abuse is not uncommon. This article is more like a footnote to the Chrome Developer documentation. It's all about 'best practice'.

Check it out

4. About design


This is the best discovery in this week's random web strolling. Audi's design system is so elegant and consistent with its brand image. I love love love them!

Audi's Design System

5. About wording


Running out of action verbs in your CV? Imperial College in London offers an extensive list:

The list

Some rights reserved
Except where otherwise noted, content on this page is licensed under a Creative Commons Attribution-NonCommercial 4.0 International license.