- From: Bjoern Hoehrmann <derhoermi@gmx.net>
- Date: Sat, 21 Jun 2008 23:57:29 +0200
- To: "Adam Barth" <public-webapi@adambarth.com>
- Cc: "Collin Jackson" <collinj@cs.stanford.edu>, "Web API WG (public)" <public-webapi@w3.org>, public-webapps@w3.org
* Adam Barth wrote: >We suggest that user agents attach an Origin header to POST requests. >This balances the security benefits of easy CSRF protection with the >privacy costs. If user agents attached this header, sites could >protect themselves from CSRF by (2) undertaking state-modify actions >only in response to POST requests and (2) implementing the below web >application firewall rule (e.g., ModSecurity rule): Isn't that balance a little bit odd? You can virtually eliminate the privacy concerns simply by saying no more than "This request has been initiated from a site different from the one mentioned in the Host header", say, `Pragma: cross-site`, without losing much flexibility. The scan for "pragma contains 'cross-site'" is also easier to set up. -- Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de Weinh. Str. 22 · Telefon: +49(0)621/4309674 · http://www.bjoernsworld.de 68309 Mannheim · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/
Received on Saturday, 21 June 2008 21:58:08 UTC