W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2009

Re: XHR without user credentials

From: Tyler Close <tyler.close@gmail.com>
Date: Sat, 13 Jun 2009 12:32:33 -0700
Message-ID: <5691356f0906131232k5f6a3577xe25bd6b1ff741796@mail.gmail.com>
To: Adam Barth <w3c@adambarth.com>
Cc: "Mark S. Miller" <erights@google.com>, Anne van Kesteren <annevk@opera.com>, public-webapps <public-webapps@w3.org>
On Sat, Jun 13, 2009 at 12:20 PM, Tyler Close<tyler.close@gmail.com> wrote:
> On Sat, Jun 13, 2009 at 10:23 AM, Adam Barth<w3c@adambarth.com> wrote:
>> Alternatively, if the server is using IP-based authenication, it could
>> be used to mount a CSRF attack (e.g., inflate the bill at the ACM
>> digital library, which uses IP-based authentication).
>
> Since such servers aren't currently looking for the Origin header,
> adding the header still won't protect them. I'm also not sure they
> would block on the header if they did know about it. If they think
> IP-based authentication is good enough, are they really going to
> reject a request with "Origin: null"?

If they did, I could deflate my bill by submitting my own requests
with the "Origin: null" header using curl. ;)

--Tyler

-- 
"Waterken News: Capability security on the Web"
http://waterken.sourceforge.net/recent.html
Received on Saturday, 13 June 2009 19:33:05 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:31 GMT