On Thu, Jan 22, 2009 at 6:41 PM, Bjoern Hoehrmann <derhoermi@gmx.net> wrote: > * Adam Barth wrote: >>Strict Referer validation: [...] >>Lenient Referer validation: > This is a false dichotomy; servers also have the option to request more > information before making their final determination whenever deemed ne- > cessary as long as human interaction is possible. For example, having a > user re-enter his credentials is a common technique. To fully defend themselves against CSRF attacks, Web sites must protect every request that modifies state. It is impractical to ask users to re-enter their credentials for every side effecting operation. Also, this technique cannot be used to defend against CSRF attacks on a site's login form. AdamReceived on Friday, 23 January 2009 03:55:11 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 7 December 2009 10:38:35 GMT