W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2009

Re: The HTTP Origin Header (draft-abarth-origin)

From: Adam Barth <w3c@adambarth.com>
Date: Sat, 24 Jan 2009 15:16:12 -0800
Message-ID: <7789133a0901241516s1a40c99eu27615ebe15fb0618@mail.gmail.com>
To: Bjoern Hoehrmann <derhoermi@gmx.net>
Cc: ietf-http-wg@w3.org

The essential point which you are misunderstanding is this:

1) The attacker can force a user agent to suppress the Referer header,
mimicking a user behind a Referer-stripping proxy.

2) The attacker cannot force a supporting user agent to suppress the
Origin header and therefore cannot mimic a non-supporting user agent.

Fact (1) renders the Referer header useless as a CSRF defense, whereas
fact (2) allows the Origin header to be incrementally useful as a CSRF
defense.

On Sat, Jan 24, 2009 at 1:03 PM, Bjoern Hoehrmann <derhoermi@gmx.net> wrote:
> * Adam Barth wrote:
>>Which mod_security rules should a Web site implement to use the
>>Referer header as a CSRF defense without locking out some of its
>>users?
>
> Adapting the header name and regular expression should do.

That would not be an effective CSRF defense for any users.  The rules
you suggest implement lenient Referer validation, which does not
prevent an attacker from mounting a CSRF attack (as explained
previously in this thread).

> Of course the
> difference between the two would be that, and I am assuming proposal and
> implementations are perfect, the Origin header would protect a few users
> against all CSRF attacks, while the Referer header would protect nearly
> all users against some CSRF attacks.

An attacker has no trouble crafting an exploit against lenient Referer
validation.  It's pointless to consider defenses that can be defeated
by an adaptive adversary.

> Either way the web site would leave
> some users vulnerable to some CSRF attacks.

The rules you suggest leave all users vulnerable.

> The attraction of the Origin header is inversly proproptional to a site
> owner's willingness to leave a substantial, but over time diminishing,
> portion of his user base vulnerable to attack.

This is the case for any new browser feature designed to help with any
web security vulnerability.  We should not simply give up.  In fact,
the cost for a site to deploy an Origin-header based CSRF defense is
so low, I would expect many sites to deploy the defense, at first, to
supplement their existing CSRF defenses.

> If that is okay, you have
> a great solution. If it is not okay, you will implement some fallback
> defense, in which case you might just have used the Referer header to
> decide when to trigger the fallback, if it does not work always anyways.

You haven't stated precisely how you envision this working, but
suppose you rely on your fall back defense when the Referer header is
absent.  If you have a vulnerability in your fall back, then, with the
Referer approach, 100% of your users are vulnerable CSRF.  With
Origin, users with supporting user agents are protected from CSRF.

> In my book, the latter would be relying on the Referer header to build
> a CSRF defense, while the the former, relying on the Origin header, is
> not really a CSRF defense until perfect implementations are universally
> deployed.

In fact, the situation is precisely the opposite.  The Referer header
is useless as a CSRF defense until it reaches 100% deployment
(including not being removed by proxies), whereas the Origin header is
incrementally useful as a CSRF defense.

> But arguing about that is not very useful, my point was and is
> that you are oversimplifying and thereby overstating your case.

I do not believe I am oversimplifying or overstating my case.  The
Referer-based CSRF defense you suggest as an alternative doesn't
actually block CSRF attacks.  By contrast, the Origin-based CSRF
defense I suggest does actually block CSRF attacks.

Adam
Received on Saturday, 24 January 2009 23:16:57 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:00 GMT