> They say user data remains in the Secure Enclave at all times No they don't. They say that the Secure Enclave participates in the secure boot chain, and in generating non-exportable keys used for secured transport. It…
No, `hmac(key=key, message=input) == hmac(key=key, message=secret)` where key is either a static secret key for comparison purposes, or random for each comparison.
I tested with SameSite being Lax and Strict. Neither block the attack in Chrome. My reading of the SameSite spec indicates that it doesn't take cookie path into account.
It would not. It would stop the cookie from being sent to things outside of the path specified, but the Same Origin Policy is about, among other things, gaining read-access to the responses of fetch/XMLHttpRequest/AJAX…
> They say user data remains in the Secure Enclave at all times No they don't. They say that the Secure Enclave participates in the secure boot chain, and in generating non-exportable keys used for secured transport. It…
No, `hmac(key=key, message=input) == hmac(key=key, message=secret)` where key is either a static secret key for comparison purposes, or random for each comparison.
I tested with SameSite being Lax and Strict. Neither block the attack in Chrome. My reading of the SameSite spec indicates that it doesn't take cookie path into account.
It would not. It would stop the cookie from being sent to things outside of the path specified, but the Same Origin Policy is about, among other things, gaining read-access to the responses of fetch/XMLHttpRequest/AJAX…