On Thu, Jan 22, 2009 at 4:51 PM, Adrien de Croy <adrien@qbik.com> wrote: > I don't see why servers can't protect themselves without changing Referer > though. A Web site that wishes to use the Referer header to defend itself against CSRF has two choices: Strict Referer validation: 1) If the Referer header is present, ensure that it contains a "trusted" value. 2) If the Referer header is absent, *reject* the request. Lenient Referer validation: 1) If the Referer header is present, ensure that it contains a "trusted" value. 2) If the Referer header is absent, *accept* the request. Web sites cannot use strict Referer validation because the Referer header is legitimately absent for 3% of users, causing the site to lose out on a significant amount of business. Web sites cannot use lenient Referer validation because the attacker can maliciously force the browser to omit the Referer header, causing the site to be vulnerable to CSRF. There are several techniques for doing this, the simplest is to issue the request from an FTP URL. You can find a more detailed explanation here: http://www.adambarth.com/papers/2008/barth-jackson-mitchell-b.pdf AdamReceived on Friday, 23 January 2009 01:53:38 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 7 December 2009 10:38:35 GMT