Re: Origin (was: Re: XHR LC Draft Feedback) from Adam Barth on 2008-06-23 (public-webapps@w3.org from April to June 2008)

From: Adam Barth <w3c@adambarth.com>
Date: Mon, 23 Jun 2008 14:07:00 -0700
To: "Bjoern Hoehrmann" <derhoermi@gmx.net>
Cc: "Collin Jackson" <w3c@collinjackson.com>, public-webapps@w3.org
Message-ID: <7789133a0806231407v4897ec36i4dfde51d7470d7b2@mail.gmail.com>

On Mon, Jun 23, 2008 at 1:18 PM, Bjoern Hoehrmann <derhoermi@gmx.net> wrote:
> * Adam Barth wrote:
>>There are three cases:
>>
>>1) Origin header missing:  This is a non-supporting browser.  Fall
>>back to existing CSRF defenses.
>>2) Origin header has a trusted value:  Accept the request.
>>3) Origin header has an untrusted value:  Reject the request.
>
> Yes, and I am saying, if the first case properly protects against these
> attacks, then you do not need the header. If it does not, then you have
> an insecure web application at least until you drop this case.

In this situation, users of non-supporting browsers are subject to
CSRF attacks but users of supporting browsers are protected from these
attacks.  This is incentive for browser vendors to adopt the Origin
header for cross-origin POSTs and is true of any client-side mechanism
for protecting against CSRF.

> For this
> kind of web application, when it needs to be used cross-site, the header
> does indeed have some "advantage" over the simpler cross-site indicator,
> but making inherently insecure applications a little less insecure, if
> you could also fully secure them, does not strike me as a good deal.

I don't understand this point.  Why is it inherently insecure for
Facebook or Slashdot to use multiple domains?  I don't see any
security risk in hosting IT Slashdot articles on it.slashdot.org and
Developer Slashdot articles on developers.slashdot.org.  Furthermore,
it seem entirely reasonable for Slashdot to want to issue POST
requests across these subdomains.  For example, each category might
wish to POST a search query to search.slashdot.org.

> I would be quite interested in having an indicator
> that helps blocking unwanted cross site requests, like legacy cross site
> form posts, I just don't see how the non-"XHR2+AC"-'Origin' header is
> better than a much simpler, more difficult to manipulate, and privacy-
> enhanced cross site indicator.

The Origin header is better because it lets sites that use multiple
domains protect themselves from CSRF, whereas "Pragma: cross-site"
does not.  How can the Origin header be manipulated for cross-origin
requests?

Adam

Received on Monday, 23 June 2008 21:07:46 UTC