- From: Bjoern Hoehrmann <derhoermi@gmx.net>
- Date: Fri, 23 Jan 2009 03:41:45 +0100
- To: Adam Barth <w3c@adambarth.com>
- Cc: ietf-http-wg@w3.org
* Adam Barth wrote: >A Web site that wishes to use the Referer header to defend itself >against CSRF has two choices: > >Strict Referer validation: >1) If the Referer header is present, ensure that it contains a "trusted" value. >2) If the Referer header is absent, *reject* the request. > >Lenient Referer validation: >1) If the Referer header is present, ensure that it contains a "trusted" value. >2) If the Referer header is absent, *accept* the request. This is a false dichotomy; servers also have the option to request more information before making their final determination whenever deemed ne- cessary as long as human interaction is possible. For example, having a user re-enter his credentials is a common technique. -- Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de Am Badedeich 7 · Telefon: +49(0)160/4415681 · http://www.bjoernsworld.de 25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/
Received on Friday, 23 January 2009 02:42:27 UTC