Re: The HTTP Origin Header (draft-abarth-origin)

On Thu, Jan 22, 2009 at 6:41 PM, Bjoern Hoehrmann <> wrote:
> * Adam Barth wrote:
>>Strict Referer validation:
>>Lenient Referer validation:

> This is a false dichotomy; servers also have the option to request more
> information before making their final determination whenever deemed ne-
> cessary as long as human interaction is possible. For example, having a
> user re-enter his credentials is a common technique.

To fully defend themselves against CSRF attacks, Web sites must
protect every request that modifies state.  It is impractical to ask
users to re-enter their credentials for every side effecting
operation.  Also, this technique cannot be used to defend against CSRF
attacks on a site's login form.


Received on Friday, 23 January 2009 03:55:11 UTC