Re: #328: user Intervention on Redirects

fre 2012-02-17 klockan 15:08 -0800 skrev Martin Thomson:


> Damn, I can be dense sometimes.  Obviously, if I can convince you to
> send me a POST that says "transfer $10 to acct number X" (which is
> trivially easy) and then redirect you to your bank, if you have an
> open session and the bank doesn't check Referer (though that wouldn't
> necessarily help), you've just made an easy $10.

Yes.

> Are there any measures that browsers could take to limit this sort of
> thing?

Yes, and they do to various degree.

> Just off the cuff, it seems to me that a method preserving redirect
> (307, 308) should almost operate in the same sort of security context
> as a cross domain request (CORS).  That means that user credentials
> are removed unless the target resource explicitly accepts them.  Or
> you could just take the position that this is a problem for the target
> site.

It's a problem for all involved.

user-agent should limit the exposure of automatic cross-domain actions
other than GET.

Non-safe methods (i.e. mostly anything except for HEAD/GET) should not
be automatically retried on redirect.

Origin servers with user-sensitive actions performed via POST need to
use embedded session parameters to protect from cross-domain actions
(i.e. embedded one-time parameter in forms to verify the origin of the
submitting form)

Regards
Henrik

Received on Saturday, 18 February 2012 15:52:14 UTC