Re: The HTTP Origin Header (draft-abarth-origin)

On Fri, Jan 23, 2009 at 10:59 PM, Bjoern Hoehrmann <> wrote:
> I am unsure what point you are trying to make.

I was trying to make the point that Web sites cannot rely on the
Referer header to build a CSRF defense.

> You gave the impression
> that there are only two options, and neither of them is ever acceptable.

Most of the time, sites that use the Referer header to defend
themselves against CSRF use lenient Referer validation (meaning they
accept requests that lack a Referer header).  These sites are easy for
attackers to exploit because the attacker can suppress the Referer
header in a number of ways.

In the past, when I've brought these attacks to the attention of these
sites, they explain that they can't use strict Referer validation due
to the 3% of users this locks out.  After the dust settles, these
sites either remain vulnerable or implement a more complex CSRF
defense based on secret tokens.

> That is not the case, there are more options, and some of them lead to
> acceptable results for some applications. There may be others, but that
> is no reason to claim a greater problem than there really is.

Yes, there are techniques that sites can use to defend themselves
against CSRF, but those techniques are (a) expense/complex to engineer
and (b) difficult to retrofit onto existing web sites.  The goal of
the Origin header is to make it easier for most sites to defend
themselves against CSRF.


Received on Saturday, 24 January 2009 07:46:20 UTC