W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2009

Re: XHR without user credentials

From: Tyler Close <tyler.close@gmail.com>
Date: Sat, 13 Jun 2009 12:32:33 -0700
Message-ID: <5691356f0906131232k5f6a3577xe25bd6b1ff741796@mail.gmail.com>
To: Adam Barth <w3c@adambarth.com>
Cc: "Mark S. Miller" <erights@google.com>, Anne van Kesteren <annevk@opera.com>, public-webapps <public-webapps@w3.org>
On Sat, Jun 13, 2009 at 12:20 PM, Tyler Close<tyler.close@gmail.com> wrote:
> On Sat, Jun 13, 2009 at 10:23 AM, Adam Barth<w3c@adambarth.com> wrote:
>> Alternatively, if the server is using IP-based authenication, it could
>> be used to mount a CSRF attack (e.g., inflate the bill at the ACM
>> digital library, which uses IP-based authentication).
> Since such servers aren't currently looking for the Origin header,
> adding the header still won't protect them. I'm also not sure they
> would block on the header if they did know about it. If they think
> IP-based authentication is good enough, are they really going to
> reject a request with "Origin: null"?

If they did, I could deflate my bill by submitting my own requests
with the "Origin: null" header using curl. ;)


"Waterken News: Capability security on the Web"
Received on Saturday, 13 June 2009 19:33:05 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:12:54 UTC