- From: Adam Barth <w3c@adambarth.com>
- Date: Thu, 22 Jan 2009 17:52:57 -0800
- To: Adrien de Croy <adrien@qbik.com>
- Cc: "Roy T. Fielding" <fielding@gbiv.com>, Mark Nottingham <mnot@mnot.net>, Larry Masinter <LMM@acm.org>, ietf-http-wg@w3.org, Lisa Dusseault <ldusseault@commerce.net>
On Thu, Jan 22, 2009 at 4:51 PM, Adrien de Croy <adrien@qbik.com> wrote: > I don't see why servers can't protect themselves without changing Referer > though. A Web site that wishes to use the Referer header to defend itself against CSRF has two choices: Strict Referer validation: 1) If the Referer header is present, ensure that it contains a "trusted" value. 2) If the Referer header is absent, *reject* the request. Lenient Referer validation: 1) If the Referer header is present, ensure that it contains a "trusted" value. 2) If the Referer header is absent, *accept* the request. Web sites cannot use strict Referer validation because the Referer header is legitimately absent for 3% of users, causing the site to lose out on a significant amount of business. Web sites cannot use lenient Referer validation because the attacker can maliciously force the browser to omit the Referer header, causing the site to be vulnerable to CSRF. There are several techniques for doing this, the simplest is to issue the request from an FTP URL. You can find a more detailed explanation here: http://www.adambarth.com/papers/2008/barth-jackson-mitchell-b.pdf Adam
Received on Friday, 23 January 2009 01:53:38 UTC