[whatwg] CSRFs and Origin header and <form>s

Ian Hickson ian at hixie.ch
Sat Nov 29 23:25:06 PST 2008


On Sat, 29 Nov 2008, Adam Barth wrote:
>
> On Sat, Nov 29, 2008 at 10:20 PM, Ian Hickson <ian at hixie.ch> wrote:
> > Regarding the open issue -- it seems like whenever a cross-origin redirect
> > takes place, the origin of the redirecting site should be used, instead of
> > the original origin. (But the origin should survive same-origin redirects
> > unaffected.)
> 
> That makes sense for CSRF mitigation, but it might not make sense for
> cross-site XMLHttpRequest.  In that case, we'd like the header to
> identify which origin will get to read the response (i.e., the
> JavaScript context that initiated the request, not the redirector).
> 
> > That would reduce the attack surface area to just the case of a hostile
> > site finding a redirect on a site trusted by the victim that redirects to
> > a victim site. Not sure if there's anything we can do about that case.
> 
> Another possibility is to replace the Origin header with "null" if there 
> is a cross-origin redirect.  The idea in this design is that multiple 
> origins have contributed to the request and the browser can't clearly 
> disentangle them.  This design should address the open-redirector case 
> as well.

Yeah, that would work.

Regarding which spec to put things in -- what are the cases you want this 
header to be included for? Just form submission? All navigation? All 
network traffic including, e.g., <script src="">, <img src="">, <link rel= 
stylesheet href="">? Just POSTs? All methods?

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'



More information about the whatwg mailing list