W3C home > Mailing lists > Public > public-webappsec@w3.org > August 2013

Re: Proposed CSRF countermeasure

From: Michal Zalewski <lcamtuf@coredump.cx>
Date: Sun, 18 Aug 2013 12:54:10 -0700
Message-ID: <CALx_OUBvEBZRtLhXSa2A0YGSUvz6fc7eA0kUb=jeU5QmUKfaEw@mail.gmail.com>
To: Mike Shema <mshema@qualys.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
> This is intended to affect cross-origin requests made by a browser.

In your proposal, what constitutes a cross-origin request? While the case
of <iframe> or <script> subresources are clear, would a 'self' policy
prevent third-party sites from as little as providing a fully-working link
to a protected application?

What would be the behavior for requests made from origins such as
data:text/html,...?

Note a possible incompatibility between meta referrer=never and preflight
requests.

Also note that such protections would be inherently ineffective for GET
XSRF on sites that:

1) Use internal redirectors. Any sites that accepts something like
/foo?returnURL=/local_path/ (this does not have to be an open redirector,
just a site-scoped one) would be vulnerable.

2) Permit user-controlled links of any sort (webmail systems, social
networks, online forums, and a good chunk of other complex web apps).

/mz
Received on Sunday, 18 August 2013 19:54:59 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:02 UTC