[whatwg] Origin header and <form>s

Adam Barth, John Mitchell, and I have written an academic paper in
support of the Origin header as a CSRF defense:

http://crypto.stanford.edu/websec/csrf/

On Wed, Jul 9, 2008 at 6:59 PM, Jonas Sicking <jonas at sicking.cc> wrote:
> Hi All,
>
> The Access-Control spec [1] adds an 'Origin' header that is submitted with
> all requests. I propose that we specify that <form> POSTs should do the
> same. This would be a very powerful mechanism to prevent CSRF attacks as it
> would allow CSRF prevention to happen in the server, rather than in the
> application layer.
>
> This way servers could be configured to reject all POST requests that have
> an Origin header from a different site.
>
> This wouldn't replace the normal CSRF protections sites need to do for now,
> but eventually enough UAs implement this that servers can just reject POSTs
> that doesn't have 'Origin' set. This would be especially true if we can get
> this feature backported into old browsers (we'll likely backport it to FF3).
>
> / Jonas
>
> [1] http://dev.w3.org/2006/waf/access-control/
>

Received on Wednesday, 9 July 2008 19:24:25 UTC