- From: Michael A. Peters <mpeters@domblogger.net>
- Date: Tue, 1 Nov 2016 03:26:26 -0700
- To: whatwg@lists.whatwg.org
On 11/01/2016 02:42 AM, Roger Hågensen wrote: > I was wondering how can a server or script identify if a request is from > page, iframe or xhr? > > Doing this would not prevent any XSS attacks, but it would allow a > server/server-side script to detect a potential XSS attack. > > I could not find any mention of any reliable way to do this currently. > > Here is an example of this idea, when the browser fetches the page the > server sends this as a response header to the browser... > > RRS: * > > or > > RRS: url > > or > > RRS: iframe > > or > > RRS: script > > And when the browser do a POST it will send one of these (if the server > sent a RRS header) ... > Any server admin that trusts a header sent by a client for security purposes is a fool. They lie, and any browser extension or plugin can influence what headers are sent and what they contain. The only thing you really can do with POST is set a single use CSRF token that the browser must include with the POST data. If the browser does not send the token or sends an incorrect/expired token for the session ID then the server rejects the post (I send a 403 forbidden)
Received on Tuesday, 1 November 2016 10:27:00 UTC