- From: Adam Barth <w3c@adambarth.com>
- Date: Thu, 22 Jan 2009 19:54:37 -0800
- To: Bjoern Hoehrmann <derhoermi@gmx.net>
- Cc: ietf-http-wg@w3.org
On Thu, Jan 22, 2009 at 6:41 PM, Bjoern Hoehrmann <derhoermi@gmx.net> wrote: > * Adam Barth wrote: >>Strict Referer validation: [...] >>Lenient Referer validation: > This is a false dichotomy; servers also have the option to request more > information before making their final determination whenever deemed ne- > cessary as long as human interaction is possible. For example, having a > user re-enter his credentials is a common technique. To fully defend themselves against CSRF attacks, Web sites must protect every request that modifies state. It is impractical to ask users to re-enter their credentials for every side effecting operation. Also, this technique cannot be used to defend against CSRF attacks on a site's login form. Adam
Received on Friday, 23 January 2009 03:55:11 UTC