[whatwg] Dealing with UI redress vulnerabilities inherent to the current web

Anne van Kesteren annevk at opera.com
Fri Sep 26 04:47:17 PDT 2008

On Thu, 25 Sep 2008 22:17:00 +0200, Collin Jackson <w3c at collinjackson.com>  
> 6) New cookie attribute: The "httpOnly" cookie flag allows sites to
> put restrictions on how a cookie can be accessed. We could allow a new
> flag to be specified in the Set-Cookie header that is designed to
> prevent CSRF and "UI redress" attacks. If a cookie is set with a
> "sameOrigin" flag, we could prevent that cookie from being sent on
> HTTP requests that are initiated by other origins, or were made by
> frames with ancestors of other origins. In a CSRF or "UI redress"
> attack scenario, it will appear as though the user is not logged in,
> and thus the HTTP request will be unable to affect the user's account.
> This flag could potentially use the cookie concept of same origin
> rather than the HTML5 concept of same origin: ignore port, ignore
> scheme unless "secure" flag is set, "domain" attribute can be used to
> relax domain comparison.
> Pros:
>  - Only need to change one line of code where the login cookie is set,
> entire site is protected
> Cons:
>  - "Opt-in" (sites remain vulnerable unless action is taken)
>  - Would need to test this to make sure it doesn't break legacy
> browser cookie handling
> (Adam and I got this idea from someone else, but we don't remember who  
> it was.)

Probably somewhere on the public-webapps or public-webapi list in context  
of cross-domain XMLHttpRequest. Anyway, this wouldn't work for login based  
on HTTP authentication or based on IP address or something.

Anne van Kesteren

More information about the whatwg mailing list