[whatwg] CSRFs and Origin header and <form>s

On Sat, 29 Nov 2008, Adam Barth wrote:
> On Sat, Nov 29, 2008 at 8:13 PM, Ian Hickson <ian at hixie.ch> wrote:
> > On Wed, 9 Jul 2008, Jonas Sicking wrote:
> >> This way servers could be configured to reject all POST requests that 
> >> have an Origin header from a different site.
> >
> > I'm all in favour of doing this, but isn't this something that belongs 
> > in the HTTP spec rather than HTML5?
> 
> I've taken the liberty of writing up a mini-spec for the proposal:
> 
> http://crypto.stanford.edu/websec/specs/origin-header/
> 
> I'm not sure if the HTTP spec is the most appropriate place because the 
> spec has a dependency on HTML 5 to compute the ASCII serialization of 
> the origin.

Well I don't mind putting it in HTML5 if that's where it has to be. Might 
be worth asking the HTTP WG for advice though.


Regarding the open issue -- it seems like whenever a cross-origin redirect 
takes place, the origin of the redirecting site should be used, instead of 
the original origin. (But the origin should survive same-origin redirects 
unaffected.)

That would reduce the attack surface area to just the case of a hostile 
site finding a redirect on a site trusted by the victim that redirects to 
a victim site. Not sure if there's anything we can do about that case.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Received on Saturday, 29 November 2008 22:20:05 UTC