* Adam Barth wrote: >We suggest that user agents attach an Origin header to POST requests. >This balances the security benefits of easy CSRF protection with the >privacy costs. If user agents attached this header, sites could >protect themselves from CSRF by (2) undertaking state-modify actions >only in response to POST requests and (2) implementing the below web >application firewall rule (e.g., ModSecurity rule): Isn't that balance a little bit odd? You can virtually eliminate the privacy concerns simply by saying no more than "This request has been initiated from a site different from the one mentioned in the Host header", say, `Pragma: cross-site`, without losing much flexibility. The scan for "pragma contains 'cross-site'" is also easier to set up. -- Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de Weinh. Str. 22 · Telefon: +49(0)621/4309674 · http://www.bjoernsworld.de 68309 Mannheim · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/Received on Saturday, 21 June 2008 21:58:08 GMT
This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:26 GMT