XSRF in the logout handler

Some vulnerability reporters contact us about the ability to log out Google users by navigating their browser to a particular URL. In some ways, this behavior is undesirable, but we believe that it cannot be reliably addressed on the modern web: for example, malicious websites may also simply overflow the browser cookie jar and drop your authentication cookies for other websites on the Internet.

We are likely to revisit this when more robust and resilient authentication mechanisms emerge and gain traction on the web. For now, we have discussed this behavior with the folks who maintain our authentication infrastructure, but we do not prioritize it as a security risk. Therefore reports about this issue do not qualify for a reward or credit.