- From: Henrik Nordström <henrik@henriknordstrom.net>
- Date: Sat, 18 Feb 2012 16:51:14 +0100
- To: Martin Thomson <martin.thomson@gmail.com>
- Cc: HTTP Working Group <ietf-http-wg@w3.org>
fre 2012-02-17 klockan 15:08 -0800 skrev Martin Thomson: > Damn, I can be dense sometimes. Obviously, if I can convince you to > send me a POST that says "transfer $10 to acct number X" (which is > trivially easy) and then redirect you to your bank, if you have an > open session and the bank doesn't check Referer (though that wouldn't > necessarily help), you've just made an easy $10. Yes. > Are there any measures that browsers could take to limit this sort of > thing? Yes, and they do to various degree. > Just off the cuff, it seems to me that a method preserving redirect > (307, 308) should almost operate in the same sort of security context > as a cross domain request (CORS). That means that user credentials > are removed unless the target resource explicitly accepts them. Or > you could just take the position that this is a problem for the target > site. It's a problem for all involved. user-agent should limit the exposure of automatic cross-domain actions other than GET. Non-safe methods (i.e. mostly anything except for HEAD/GET) should not be automatically retried on redirect. Origin servers with user-sensitive actions performed via POST need to use embedded session parameters to protect from cross-domain actions (i.e. embedded one-time parameter in forms to verify the origin of the submitting form) Regards Henrik
Received on Saturday, 18 February 2012 15:52:14 UTC