W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2009

Re: XHR without user credentials

From: Tyler Close <tyler.close@gmail.com>
Date: Sat, 13 Jun 2009 12:20:59 -0700
Message-ID: <5691356f0906131220l171fb1fal74690fe71ecb9f18@mail.gmail.com>
To: Adam Barth <w3c@adambarth.com>
Cc: "Mark S. Miller" <erights@google.com>, Anne van Kesteren <annevk@opera.com>, public-webapps <public-webapps@w3.org>
On Sat, Jun 13, 2009 at 10:23 AM, Adam Barth<w3c@adambarth.com> wrote:
> On Sat, Jun 13, 2009 at 5:39 AM, Tyler Close<tyler.close@gmail.com> wrote:
>> On Fri, Jun 12, 2009 at 10:36 PM, Adam Barth<w3c@adambarth.com> wrote:
>>> Suppose GuestXHR doesn't send an Origin header for any requests and a
>>> server uses the algorithm in draft-abarth-origin to mitigate CSRF
>>> attacks.  Now, an attacker can mount a CSRF attack against the server.
>>
>> Could you provide a bit more detail here? I don't understand how an
>> attacker could mount a CSRF attack using GuestXHR, if there are no
>> user credentials in a GuestXHR request.
>
> For example, GuestXHR could be used to mount a login CSRF attack.

Are you sure about that? Since the response won't carry the
Access-Control-Allow-Origin header, the browser shouldn't set any
cookies. I don't see how this attack works.

> Alternatively, if the server is using IP-based authenication, it could
> be used to mount a CSRF attack (e.g., inflate the bill at the ACM
> digital library, which uses IP-based authentication).

Since such servers aren't currently looking for the Origin header,
adding the header still won't protect them. I'm also not sure they
would block on the header if they did know about it. If they think
IP-based authentication is good enough, are they really going to
reject a request with "Origin: null"?

>> It seems to me that Origin is only about telling a server how to treat
>> user credentials attached to a request.
>
> The Origin-as-CSRF-defense is about giving the server advice on when
> to change state.  Oftentimes user credentials are also involved in
> this decision, but that's not necessary.

What are the other possibilities? Do any of them make sense in the
context of GuestXHR?

--Tyler

-- 
"Waterken News: Capability security on the Web"
http://waterken.sourceforge.net/recent.html
Received on Saturday, 13 June 2009 19:21:35 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:31 GMT