W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2009

Re: XHR without user credentials

From: Adam Barth <w3c@adambarth.com>
Date: Sat, 13 Jun 2009 10:23:48 -0700
Message-ID: <7789133a0906131023l2fd17253n27de40ee37aa066c@mail.gmail.com>
To: Tyler Close <tyler.close@gmail.com>
Cc: "Mark S. Miller" <erights@google.com>, Anne van Kesteren <annevk@opera.com>, public-webapps <public-webapps@w3.org>
On Sat, Jun 13, 2009 at 5:39 AM, Tyler Close<tyler.close@gmail.com> wrote:
> On Fri, Jun 12, 2009 at 10:36 PM, Adam Barth<w3c@adambarth.com> wrote:
>> Suppose GuestXHR doesn't send an Origin header for any requests and a
>> server uses the algorithm in draft-abarth-origin to mitigate CSRF
>> attacks.  Now, an attacker can mount a CSRF attack against the server.
>
> Could you provide a bit more detail here? I don't understand how an
> attacker could mount a CSRF attack using GuestXHR, if there are no
> user credentials in a GuestXHR request.

For example, GuestXHR could be used to mount a login CSRF attack.
Alternatively, if the server is using IP-based authenication, it could
be used to mount a CSRF attack (e.g., inflate the bill at the ACM
digital library, which uses IP-based authentication).

> It seems to me that Origin is only about telling a server how to treat
> user credentials attached to a request.

The Origin-as-CSRF-defense is about giving the server advice on when
to change state.  Oftentimes user credentials are also involved in
this decision, but that's not necessary.

Adam
Received on Saturday, 13 June 2009 17:24:46 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:31 GMT