- From: Bil Corry <bil@corry.biz>
- Date: Wed, 14 Jan 2009 19:32:57 -0600
- To: Maciej Stachowiak <mjs@apple.com>
- CC: Adrian Bateman <adrianba@microsoft.com>, Anne van Kesteren <annevk@opera.com>, Jonas Sicking <jonas@sicking.cc>, "public-webapps@w3.org" <public-webapps@w3.org>
Maciej Stachowiak wrote on 1/14/2009 6:14 PM: > Why does the CSRF defense header need to change on redirect? Because to the site on the far end, it would appear the request came from somewhere it didn't, effectively hiding the real source of the request. This probably explains it better: ----- When an honest site initiates a request to a dishonest site (for example because the user followed a hyperlink), the dishonest site can redirect the request back to the honest site. If the redirected request carries the same Origin header as the original request, the request will implicate the honest site as generating the request. To protect the honest site, the user agent replaces the Origin header with null, so a conforming server will not modify state in response to a redirect. http://crypto.stanford.edu/websec/specs/origin-header/ ----- - Bil
Received on Thursday, 15 January 2009 01:33:42 UTC