W3C home > Mailing lists > Public > whatwg@whatwg.org > November 2008

[whatwg] CSRFs and Origin header and <form>s

From: Adam Barth <whatwg@adambarth.com>
Date: Sat, 29 Nov 2008 22:38:22 -0800
Message-ID: <7789133a0811292238q6c8b583cr29941c733de9c33@mail.gmail.com>
On Sat, Nov 29, 2008 at 10:20 PM, Ian Hickson <ian at hixie.ch> wrote:
> Regarding the open issue -- it seems like whenever a cross-origin redirect
> takes place, the origin of the redirecting site should be used, instead of
> the original origin. (But the origin should survive same-origin redirects
> unaffected.)

That makes sense for CSRF mitigation, but it might not make sense for
cross-site XMLHttpRequest.  In that case, we'd like the header to
identify which origin will get to read the response (i.e., the
JavaScript context that initiated the request, not the redirector).

> That would reduce the attack surface area to just the case of a hostile
> site finding a redirect on a site trusted by the victim that redirects to
> a victim site. Not sure if there's anything we can do about that case.

Another possibility is to replace the Origin header with "null" if
there is a cross-origin redirect.  The idea in this design is that
multiple origins have contributed to the request and the browser can't
clearly disentangle them.  This design should address the
open-redirector case as well.

Adam
Received on Saturday, 29 November 2008 22:38:22 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:07 UTC