- From: Tyler Close <tyler.close@gmail.com>
- Date: Sat, 13 Jun 2009 12:32:33 -0700
- To: Adam Barth <w3c@adambarth.com>
- Cc: "Mark S. Miller" <erights@google.com>, Anne van Kesteren <annevk@opera.com>, public-webapps <public-webapps@w3.org>
On Sat, Jun 13, 2009 at 12:20 PM, Tyler Close<tyler.close@gmail.com> wrote: > On Sat, Jun 13, 2009 at 10:23 AM, Adam Barth<w3c@adambarth.com> wrote: >> Alternatively, if the server is using IP-based authenication, it could >> be used to mount a CSRF attack (e.g., inflate the bill at the ACM >> digital library, which uses IP-based authentication). > > Since such servers aren't currently looking for the Origin header, > adding the header still won't protect them. I'm also not sure they > would block on the header if they did know about it. If they think > IP-based authentication is good enough, are they really going to > reject a request with "Origin: null"? If they did, I could deflate my bill by submitting my own requests with the "Origin: null" header using curl. ;) --Tyler -- "Waterken News: Capability security on the Web" http://waterken.sourceforge.net/recent.html
Received on Saturday, 13 June 2009 19:33:05 UTC