[whatwg] CSRFs and Origin header and <form>s
Adam Barth
whatwg at adambarth.com
Sat Nov 29 22:38:22 PST 2008
On Sat, Nov 29, 2008 at 10:20 PM, Ian Hickson <ian at hixie.ch> wrote:
> Regarding the open issue -- it seems like whenever a cross-origin redirect
> takes place, the origin of the redirecting site should be used, instead of
> the original origin. (But the origin should survive same-origin redirects
> unaffected.)
That makes sense for CSRF mitigation, but it might not make sense for
cross-site XMLHttpRequest. In that case, we'd like the header to
identify which origin will get to read the response (i.e., the
JavaScript context that initiated the request, not the redirector).
> That would reduce the attack surface area to just the case of a hostile
> site finding a redirect on a site trusted by the victim that redirects to
> a victim site. Not sure if there's anything we can do about that case.
Another possibility is to replace the Origin header with "null" if
there is a cross-origin redirect. The idea in this design is that
multiple origins have contributed to the request and the browser can't
clearly disentangle them. This design should address the
open-redirector case as well.
Adam
More information about the whatwg
mailing list