W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2009

Re: [access-control] Access-Control-Allow-Origin: * and ascii-origin in IE8

From: Adam Barth <w3c@adambarth.com>
Date: Thu, 15 Jan 2009 08:34:45 -0800
Message-ID: <7789133a0901150834v15c4b72arcf1269f337b1563d@mail.gmail.com>
To: "Bil Corry" <bil@corry.biz>
Cc: "Maciej Stachowiak" <mjs@apple.com>, "Adrian Bateman" <adrianba@microsoft.com>, "Anne van Kesteren" <annevk@opera.com>, "Jonas Sicking" <jonas@sicking.cc>, "public-webapps@w3.org" <public-webapps@w3.org>

On Thu, Jan 15, 2009 at 7:24 AM, Bil Corry <bil@corry.biz> wrote:
> Using XSS, an attacker could change the target of a login form to a MitM site,

If your site has XSS, there is nothing a CSRF defense can do to help you.

On Wed, Jan 14, 2009 at 10:47 PM, Maciej Stachowiak <mjs@apple.com> wrote:
> So one thing to keep in mind is that any POST-based form would not be
> vulnerable to this kind of attack unless the victim site actually submits a
> form to an untrusted site. There is no way for a GET request to be
> redirected to a POST, and it seems to me the practice of Site A submitting a
> form to untrusted site B is likely to be quite rare and easily avoidable.

I agree that POST-based redirects attacks on the
Origin-header-as-CSRF-defense are mostly theoretical.  Keep in mind
also that even if the honest site sends a POST request to the
attacker's site, the attacker is unable to alter the body of the
request when redirecting it.

> Thus, the difference in behavior of the CSRF-prevention Origin does not do
> any good, and so we may as well use just one Origin header.

I agree.

Received on Thursday, 15 January 2009 16:35:24 UTC

This archive was generated by hypermail 2.3.1 : Friday, 27 October 2017 07:26:13 UTC