- From: Adam Barth <w3c@adambarth.com>
- Date: Fri, 23 Jan 2009 23:45:45 -0800
- To: Bjoern Hoehrmann <derhoermi@gmx.net>
- Cc: ietf-http-wg@w3.org
On Fri, Jan 23, 2009 at 10:59 PM, Bjoern Hoehrmann <derhoermi@gmx.net> wrote: > I am unsure what point you are trying to make. I was trying to make the point that Web sites cannot rely on the Referer header to build a CSRF defense. > You gave the impression > that there are only two options, and neither of them is ever acceptable. Most of the time, sites that use the Referer header to defend themselves against CSRF use lenient Referer validation (meaning they accept requests that lack a Referer header). These sites are easy for attackers to exploit because the attacker can suppress the Referer header in a number of ways. In the past, when I've brought these attacks to the attention of these sites, they explain that they can't use strict Referer validation due to the 3% of users this locks out. After the dust settles, these sites either remain vulnerable or implement a more complex CSRF defense based on secret tokens. > That is not the case, there are more options, and some of them lead to > acceptable results for some applications. There may be others, but that > is no reason to claim a greater problem than there really is. Yes, there are techniques that sites can use to defend themselves against CSRF, but those techniques are (a) expense/complex to engineer and (b) difficult to retrofit onto existing web sites. The goal of the Origin header is to make it easier for most sites to defend themselves against CSRF. Adam
Received on Saturday, 24 January 2009 07:46:20 UTC