- From: Adam Barth <w3c@adambarth.com>
- Date: Sat, 13 Jun 2009 10:23:48 -0700
- To: Tyler Close <tyler.close@gmail.com>
- Cc: "Mark S. Miller" <erights@google.com>, Anne van Kesteren <annevk@opera.com>, public-webapps <public-webapps@w3.org>
On Sat, Jun 13, 2009 at 5:39 AM, Tyler Close<tyler.close@gmail.com> wrote: > On Fri, Jun 12, 2009 at 10:36 PM, Adam Barth<w3c@adambarth.com> wrote: >> Suppose GuestXHR doesn't send an Origin header for any requests and a >> server uses the algorithm in draft-abarth-origin to mitigate CSRF >> attacks. Now, an attacker can mount a CSRF attack against the server. > > Could you provide a bit more detail here? I don't understand how an > attacker could mount a CSRF attack using GuestXHR, if there are no > user credentials in a GuestXHR request. For example, GuestXHR could be used to mount a login CSRF attack. Alternatively, if the server is using IP-based authenication, it could be used to mount a CSRF attack (e.g., inflate the bill at the ACM digital library, which uses IP-based authentication). > It seems to me that Origin is only about telling a server how to treat > user credentials attached to a request. The Origin-as-CSRF-defense is about giving the server advice on when to change state. Oftentimes user credentials are also involved in this decision, but that's not necessary. Adam
Received on Saturday, 13 June 2009 17:24:46 UTC