Am I reading this correctly? The Chrome team believes that regular GET requests are now CSRF vectors due to the disclosed attacks? If so, that has wide ranging implications on using links on the web. chromium.org/Home/chromium-s…

I've worked on multiple CSRF mitigations in my time on the Rails security team and if GET requests are really now vulnerable to the extent that Google is suggesting using randomized URLs or CSRF tokens, this shit is about to get real.

To state the obvious, you cannot use CSRF tokens in URLs and also have those links work as normal links from other web sites.

This means that using the same URL for multiple logged-in users becomes a no-no. Again, to state the obvious, this means that I can't share the same URL for a tweet with you if that URL displays personalized content for logged in users.

I might be misreading what Google is saying here, but this seems like a significant implication if true.