Re: Proposed CSRF countermeasure

On Tue, Aug 20, 2013 at 1:54 AM, John Wilander <john.wilander@owasp.org>wrote:

> 2013/8/15 Mike Shema <mshema@qualys.com>
>
>> An SOS policy may be applied to one or more cookies for a web application
>> on a per-cookie or collective basis. The policy controls whether the
>> browser includes those cookies during cross-origin requests. (A
>> cross-origin resource cannot access a cookie from another origin, but it
>> may generate a request that causes the cookie to be included.)
>
>
> Michal mentioned it but it wasn't clear to me – does your proposal apply
> only to CORS or to all cross-origin requests (iframes, frame sets, images,
> scripts, style sheets, form gets/posts etc)?
>
>    Regards, John
>

It applies to all cross-origin requests since those are the potential
attack vector for CSRF. In practice, a policy would only be necessary for
areas with CSRF potential. For example, there's likely no reason to worry
about CSRF and pulling resources from a CDN, not to mention that could be a
different origin from the protected target anyway. No requests would be
prevented, but a cookie could be excluded from a request based on a policy.

The original reference to CORS was focused on adopting its concept of
pre-flight requests for the purpose of the browser asking, "Should I
include or exclude this cookie with a cross-origin request?" (As well as
being able to cache responses to reduce bandwidth overhead.)

Many sites expect incoming cross-origin requests. Not all incoming requests
touch a resource that carries risk with regard to CSRF. Hence, the proposal
aims to allow an exception-based policy where it would (or at least,
should) be easy to accommodate "safe" requests while still being able to
block cookies (i.e. a security context) for sensitive resources.

Thanks,
Mike