Re: Origin (was: Re: XHR LC Draft Feedback)

* Adam Barth wrote:
>We suggest that user agents attach an Origin header to POST requests.
>This balances the security benefits of easy CSRF protection with the
>privacy costs.  If user agents attached this header, sites could
>protect themselves from CSRF by (2) undertaking state-modify actions
>only in response to POST requests and (2) implementing the below web
>application firewall rule (e.g., ModSecurity rule):

Isn't that balance a little bit odd? You can virtually eliminate the
privacy concerns simply by saying no more than "This request has been
initiated from a site different from the one mentioned in the Host
header", say, `Pragma: cross-site`, without losing much flexibility.
The scan for "pragma contains 'cross-site'" is also easier to set up.
Björn Höhrmann · ·
Weinh. Str. 22 · Telefon: +49(0)621/4309674 ·
68309 Mannheim · PGP Pub. KeyID: 0xA4357E78 · 

Received on Saturday, 21 June 2008 21:58:08 UTC