W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2009

Re: The HTTP Origin Header (draft-abarth-origin)

From: Adam Barth <w3c@adambarth.com>
Date: Thu, 22 Jan 2009 17:52:57 -0800
Message-ID: <7789133a0901221752w5db07c76l97f4b3a85a9c9a39@mail.gmail.com>
To: Adrien de Croy <adrien@qbik.com>
Cc: "Roy T. Fielding" <fielding@gbiv.com>, Mark Nottingham <mnot@mnot.net>, Larry Masinter <LMM@acm.org>, ietf-http-wg@w3.org, Lisa Dusseault <ldusseault@commerce.net>

On Thu, Jan 22, 2009 at 4:51 PM, Adrien de Croy <adrien@qbik.com> wrote:
> I don't see why servers can't protect themselves without changing Referer
> though.

A Web site that wishes to use the Referer header to defend itself
against CSRF has two choices:

Strict Referer validation:
1) If the Referer header is present, ensure that it contains a "trusted" value.
2) If the Referer header is absent, *reject* the request.

Lenient Referer validation:
1) If the Referer header is present, ensure that it contains a "trusted" value.
2) If the Referer header is absent, *accept* the request.

Web sites cannot use strict Referer validation because the Referer
header is legitimately absent for 3% of users, causing the site to
lose out on a significant amount of business.

Web sites cannot use lenient Referer validation because the attacker
can maliciously force the browser to omit the Referer header, causing
the site to be vulnerable to CSRF.  There are several techniques for
doing this, the simplest is to issue the request from an FTP URL.

You can find a more detailed explanation here:
http://www.adambarth.com/papers/2008/barth-jackson-mitchell-b.pdf

Adam
Received on Friday, 23 January 2009 01:53:38 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:00 GMT