- From: Jonas Sicking <jonas@sicking.cc>
- Date: Wed, 09 Jul 2008 18:59:54 -0700
Hi All, The Access-Control spec [1] adds an 'Origin' header that is submitted with all requests. I propose that we specify that <form> POSTs should do the same. This would be a very powerful mechanism to prevent CSRF attacks as it would allow CSRF prevention to happen in the server, rather than in the application layer. This way servers could be configured to reject all POST requests that have an Origin header from a different site. This wouldn't replace the normal CSRF protections sites need to do for now, but eventually enough UAs implement this that servers can just reject POSTs that doesn't have 'Origin' set. This would be especially true if we can get this feature backported into old browsers (we'll likely backport it to FF3). / Jonas [1] http://dev.w3.org/2006/waf/access-control/
Received on Wednesday, 9 July 2008 18:59:54 UTC