- From: Adam Barth <w3c@adambarth.com>
- Date: Thu, 22 Jan 2009 19:51:52 -0800
- To: "Roy T. Fielding" <fielding@gbiv.com>
- Cc: Mark Nottingham <mnot@mnot.net>, Larry Masinter <LMM@acm.org>, ietf-http-wg@w3.org, Lisa Dusseault <ldusseault@commerce.net>
On Thu, Jan 22, 2009 at 6:29 PM, Roy T. Fielding <fielding@gbiv.com> wrote: > The feature of "defend themselves against CSRF by identifying > the referral page" is satisfied by "don't allow requests that > lack an appropriate Referer". Your estimate that it would also > block some 3% of false negatives does not lessen its defense. > The 3% would get an error message in response. These 3% of potential users would be unable to use the Web site. In talking with folks who run large Web sites, I've been told that excluding 3% of your potential customers is not acceptable. > Your claims are based on the assumption that those very same > 3% proxies will forward the Origin header unchanged. This is not an assumption. In April 2008, measured how often various headers were suppressed for 283,945 browsers who viewed an advertisement we placed with a minor ad network. We observed that the Referer header was suppressed for approximately 3% of requests whereas the Origin header was only suppressed 0.029-0.047% of requests (95% confidence). For more detailed results and a description of the methedology, please see Section 4.2.1 of http://www.adambarth.com/papers/2008/barth-jackson-mitchell-b.pdf > Your assumption is wrong. What evidence do you have to back up this claim? > The proxies that remove request headers > today are the ones that remove all request headers and rewrite > each request on their own terms These proxies do not appear to be nearly as common as proxies that strip the Referer header. Adam
Received on Friday, 23 January 2009 03:52:29 UTC