W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2009

Re: The HTTP Origin Header (draft-abarth-origin)

From: Bjoern Hoehrmann <derhoermi@gmx.net>
Date: Sat, 24 Jan 2009 22:03:07 +0100
To: Adam Barth <w3c@adambarth.com>
Cc: ietf-http-wg@w3.org
Message-ID: <a3omn4hmstth6210uplc1l6h0u25avngmm@hive.bjoern.hoehrmann.de>

* Adam Barth wrote:
>A user who visits such a site with a supporting user agent (which, at
>the moment, includes the Chrome dev channel and the WebKit nightlies)
>will be protected from CSRF attacks.  A site can implement these rules
>without impacting users of non-supporting user agents.

>Which mod_security rules should a Web site implement to use the
>Referer header as a CSRF defense without locking out some of its
>users?

Adapting the header name and regular expression should do. Of course the
difference between the two would be that, and I am assuming proposal and
implementations are perfect, the Origin header would protect a few users
against all CSRF attacks, while the Referer header would protect nearly
all users against some CSRF attacks. Either way the web site would leave
some users vulnerable to some CSRF attacks.

The attraction of the Origin header is inversly proproptional to a site
owner's willingness to leave a substantial, but over time diminishing,
portion of his user base vulnerable to attack. If that is okay, you have
a great solution. If it is not okay, you will implement some fallback
defense, in which case you might just have used the Referer header to
decide when to trigger the fallback, if it does not work always anyways.

In my book, the latter would be relying on the Referer header to build
a CSRF defense, while the the former, relying on the Origin header, is
not really a CSRF defense until perfect implementations are universally
deployed. But arguing about that is not very useful, my point was and is
that you are oversimplifying and thereby overstating your case.
-- 
Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de
Am Badedeich 7 · Telefon: +49(0)160/4415681 · http://www.bjoernsworld.de
25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/ 
Received on Saturday, 24 January 2009 21:03:45 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:00 GMT