W3C home > Mailing lists > Public > whatwg@whatwg.org > November 2016

[whatwg] How can a server or serverside script identify if a request is from a page, iframe or xhr?

From: Roger Hågensen <rh_whatwg@skuldwyrm.no>
Date: Tue, 1 Nov 2016 10:42:04 +0100
To: "whatwg@lists.whatwg.org" <whatwg@lists.whatwg.org>
Message-ID: <a62c8fd1-2363-8e2d-ce31-1d7f800e2a71@skuldwyrm.no>
I was wondering how can a server or script identify if a request is from 
page, iframe or xhr?

Doing this would not prevent any XSS attacks, but it would allow a 
server/server-side script to detect a potential XSS attack.

I could not find any mention of any reliable way to do this currently.

Here is an example of this idea, when the browser fetches the page the 
server sends this as a response header to the browser...

RRS: *

or

RRS: url

or

RRS: iframe

or

RRS: script

And when the browser do a POST it will send one of these (if the server 
sent a RRS header) ...

RRS: url

or

RRS: iframe

or

RRS: script



RRS is short for "Report Request Source/Reported Request Source".
"url" indicate that the request source was a form on the page of the 
requested url.
"iframe" indicate that the request source was from within a iframe on 
the page of the requested url.
"script" indicate that the request source was from a script (via xhr) on 
the page of the requested url.

If a server (or server script) is only expecting a POST from the page 
but get a RRS result of iframe or script then this could be logged and 
reported to the server security supervisor for review.

The server sending "RSS: *" indicate that the request should be allowed 
but reported (might be nice for debugging as well).
If it is "RSS: url" then any requests from a iframe or a script would be 
denied/blocked by the browser (blocking two methods of making a POST)


Now if there exist another way to achieve the same and I just haven't 
found it I'd appreciate if someone pointed me in the right direction.

I'm also a bit unsure what working group (pun intended) a suggestion 
should be directed to if this does not exist yet.


-- 
Roger Hågensen, Freelancer, http://skuldwyrm.no/
Received on Tuesday, 1 November 2016 09:42:41 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 November 2016 09:42:41 UTC