Awesome post, love to see that even the great borg is human sometimes like the rest of us :)
Just curious for someone who knows more than me, couldn't all of these have been prevented by requiring all POSTs to the server have an attached CSRF nonce? Is there a downside to having a blanket policy like that?
Tokens would not have helped for the first two. They were logic errors; the attacker used Google features in ways they were not expected to.
The first was a GET request, not POST. Images have fairly lax cross domain restrictions. So while the attacking website can't see the image loaded from Google they can detect when the image doesn't load. Google was returning a non-200 response code for images the user can't see.
The second wasn't a traditional XSRF. Instead it was making the victim (unknowningly) edit a shared document created by the attacker. The attacker uses the feature of Google docs that shows all current editors to see the victim's Google account name.
Just curious for someone who knows more than me, couldn't all of these have been prevented by requiring all POSTs to the server have an attached CSRF nonce? Is there a downside to having a blanket policy like that?