W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2009

Re: The HTTP Origin Header (draft-abarth-origin)

From: Bjoern Hoehrmann <derhoermi@gmx.net>
Date: Fri, 23 Jan 2009 03:41:45 +0100
To: Adam Barth <w3c@adambarth.com>
Cc: ietf-http-wg@w3.org
Message-ID: <1bain49k46neppvssd01ja4p8e91dsd0ht@hive.bjoern.hoehrmann.de>

* Adam Barth wrote:
>A Web site that wishes to use the Referer header to defend itself
>against CSRF has two choices:
>
>Strict Referer validation:
>1) If the Referer header is present, ensure that it contains a "trusted" value.
>2) If the Referer header is absent, *reject* the request.
>
>Lenient Referer validation:
>1) If the Referer header is present, ensure that it contains a "trusted" value.
>2) If the Referer header is absent, *accept* the request.

This is a false dichotomy; servers also have the option to request more
information before making their final determination whenever deemed ne-
cessary as long as human interaction is possible. For example, having a
user re-enter his credentials is a common technique.
-- 
Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de
Am Badedeich 7 · Telefon: +49(0)160/4415681 · http://www.bjoernsworld.de
25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/ 
Received on Friday, 23 January 2009 02:42:27 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:00 GMT