
Ask HN: Why is Twitter blocking users if they have no Referer header? - Sayrus
While changing some settings (in this case network.http.sendRefererHeader), I got locked out of Twitter. This seems to be an intended feature.
You get an infinite redirect loop stating: &quot;If you’re not redirected soon, please use this link.&quot;.<p>I don&#x27;t think it would be an effective way to fight bots so why are they doing it? Thanks in advance!
======
NSAID
It protects against the 'Silhouette attack"

Original research paper:
[http://www.ntt.co.jp/news2018/1807e/180718a.html](http://www.ntt.co.jp/news2018/1807e/180718a.html)

Twitter Blog:
[https://blog.twitter.com/engineering/en_us/topics/insights/2...](https://blog.twitter.com/engineering/en_us/topics/insights/2018/twitter_silhouette.html)

"A website can request a page from Twitter in the background with JavaScript
using standard browser APIs. That request will be made using login credentials
(stored in cookies), so if you're logged into Twitter, that request will be
made as you.

Our site implements common CSRF protections on POST requests to prevent
actions being made on your behalf (for example, being able to send a Tweet).
The browser also enforces a number of limitations on cross-origin requests for
security reasons. For example, another origin cannot read the response
content. However, the requesting page is able to determine how long the
request took to load.

This timing data will only reveal information if the response times can be
manipulated into result based on a specific user. Generally, your page load
time will depend on the Tweets you're viewing, and these aren't easy to
predict.

However, when you are blocked by another user, we prevent you from being able
to load their profile page, and just show a basic empty page. That page is
much faster to load than a profile full of Tweets.

In our tests, profile page load times reliably dropped from around 500ms to
about 200ms. In this way, one user can affect the page load time of another
user viewing a specific url."

~~~
Sayrus
That was an interesting read, now I'm surprised there are so few websites
mitigating this kind of timing attack. Seems like SameSite is still not
implemented everywhere: [https://caniuse.com/#feat=same-site-cookie-
attribute](https://caniuse.com/#feat=same-site-cookie-attribute)

