[whatwg] CSRFs and Origin header and <form>s

On Sat, Nov 29, 2008 at 10:20 PM, Ian Hickson <ian at hixie.ch> wrote:
> Regarding the open issue -- it seems like whenever a cross-origin redirect
> takes place, the origin of the redirecting site should be used, instead of
> the original origin. (But the origin should survive same-origin redirects
> unaffected.)

That makes sense for CSRF mitigation, but it might not make sense for
cross-site XMLHttpRequest.  In that case, we'd like the header to
identify which origin will get to read the response (i.e., the
JavaScript context that initiated the request, not the redirector).

> That would reduce the attack surface area to just the case of a hostile
> site finding a redirect on a site trusted by the victim that redirects to
> a victim site. Not sure if there's anything we can do about that case.

Another possibility is to replace the Origin header with "null" if
there is a cross-origin redirect.  The idea in this design is that
multiple origins have contributed to the request and the browser can't
clearly disentangle them.  This design should address the
open-redirector case as well.


Received on Saturday, 29 November 2008 22:38:22 UTC