- From: Collin Jackson <w3c@collinjackson.com>
- Date: Wed, 9 Jul 2008 19:24:25 -0700
Adam Barth, John Mitchell, and I have written an academic paper in support of the Origin header as a CSRF defense: http://crypto.stanford.edu/websec/csrf/ On Wed, Jul 9, 2008 at 6:59 PM, Jonas Sicking <jonas at sicking.cc> wrote: > Hi All, > > The Access-Control spec [1] adds an 'Origin' header that is submitted with > all requests. I propose that we specify that <form> POSTs should do the > same. This would be a very powerful mechanism to prevent CSRF attacks as it > would allow CSRF prevention to happen in the server, rather than in the > application layer. > > This way servers could be configured to reject all POST requests that have > an Origin header from a different site. > > This wouldn't replace the normal CSRF protections sites need to do for now, > but eventually enough UAs implement this that servers can just reject POSTs > that doesn't have 'Origin' set. This would be especially true if we can get > this feature backported into old browsers (we'll likely backport it to FF3). > > / Jonas > > [1] http://dev.w3.org/2006/waf/access-control/ >
Received on Wednesday, 9 July 2008 19:24:25 UTC