W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2009

Re: The HTTP Origin Header (draft-abarth-origin)

From: Adam Barth <w3c@adambarth.com>
Date: Thu, 22 Jan 2009 19:54:37 -0800
Message-ID: <7789133a0901221954x2e70e5d4gb446cc557cef440c@mail.gmail.com>
To: Bjoern Hoehrmann <derhoermi@gmx.net>
Cc: ietf-http-wg@w3.org

On Thu, Jan 22, 2009 at 6:41 PM, Bjoern Hoehrmann <derhoermi@gmx.net> wrote:
> * Adam Barth wrote:
>>Strict Referer validation:
[...]
>>Lenient Referer validation:

> This is a false dichotomy; servers also have the option to request more
> information before making their final determination whenever deemed ne-
> cessary as long as human interaction is possible. For example, having a
> user re-enter his credentials is a common technique.

To fully defend themselves against CSRF attacks, Web sites must
protect every request that modifies state.  It is impractical to ask
users to re-enter their credentials for every side effecting
operation.  Also, this technique cannot be used to defend against CSRF
attacks on a site's login form.

Adam
Received on Friday, 23 January 2009 03:55:11 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:00 GMT