[whatwg] CSRFs and Origin header and <form>s
Ian Hickson
ian at hixie.ch
Sat Nov 29 23:25:06 PST 2008
On Sat, 29 Nov 2008, Adam Barth wrote:
>
> On Sat, Nov 29, 2008 at 10:20 PM, Ian Hickson <ian at hixie.ch> wrote:
> > Regarding the open issue -- it seems like whenever a cross-origin redirect
> > takes place, the origin of the redirecting site should be used, instead of
> > the original origin. (But the origin should survive same-origin redirects
> > unaffected.)
>
> That makes sense for CSRF mitigation, but it might not make sense for
> cross-site XMLHttpRequest. In that case, we'd like the header to
> identify which origin will get to read the response (i.e., the
> JavaScript context that initiated the request, not the redirector).
>
> > That would reduce the attack surface area to just the case of a hostile
> > site finding a redirect on a site trusted by the victim that redirects to
> > a victim site. Not sure if there's anything we can do about that case.
>
> Another possibility is to replace the Origin header with "null" if there
> is a cross-origin redirect. The idea in this design is that multiple
> origins have contributed to the request and the browser can't clearly
> disentangle them. This design should address the open-redirector case
> as well.
Yeah, that would work.
Regarding which spec to put things in -- what are the cases you want this
header to be included for? Just form submission? All navigation? All
network traffic including, e.g., <script src="">, <img src="">, <link rel=
stylesheet href="">? Just POSTs? All methods?
--
Ian Hickson U+1047E )\._.,--....,'``. fL
http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,.
Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
More information about the whatwg
mailing list