- From: Bjoern Hoehrmann <derhoermi@gmx.net>
- Date: Sat, 24 Jan 2009 22:03:07 +0100
- To: Adam Barth <w3c@adambarth.com>
- Cc: ietf-http-wg@w3.org
* Adam Barth wrote: >A user who visits such a site with a supporting user agent (which, at >the moment, includes the Chrome dev channel and the WebKit nightlies) >will be protected from CSRF attacks. A site can implement these rules >without impacting users of non-supporting user agents. >Which mod_security rules should a Web site implement to use the >Referer header as a CSRF defense without locking out some of its >users? Adapting the header name and regular expression should do. Of course the difference between the two would be that, and I am assuming proposal and implementations are perfect, the Origin header would protect a few users against all CSRF attacks, while the Referer header would protect nearly all users against some CSRF attacks. Either way the web site would leave some users vulnerable to some CSRF attacks. The attraction of the Origin header is inversly proproptional to a site owner's willingness to leave a substantial, but over time diminishing, portion of his user base vulnerable to attack. If that is okay, you have a great solution. If it is not okay, you will implement some fallback defense, in which case you might just have used the Referer header to decide when to trigger the fallback, if it does not work always anyways. In my book, the latter would be relying on the Referer header to build a CSRF defense, while the the former, relying on the Origin header, is not really a CSRF defense until perfect implementations are universally deployed. But arguing about that is not very useful, my point was and is that you are oversimplifying and thereby overstating your case. -- Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de Am Badedeich 7 · Telefon: +49(0)160/4415681 · http://www.bjoernsworld.de 25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/
Received on Saturday, 24 January 2009 21:03:45 UTC