- From: Roger Hågensen <rh_whatwg@skuldwyrm.no>
- Date: Tue, 1 Nov 2016 10:42:04 +0100
- To: "whatwg@lists.whatwg.org" <whatwg@lists.whatwg.org>
I was wondering how can a server or script identify if a request is from page, iframe or xhr? Doing this would not prevent any XSS attacks, but it would allow a server/server-side script to detect a potential XSS attack. I could not find any mention of any reliable way to do this currently. Here is an example of this idea, when the browser fetches the page the server sends this as a response header to the browser... RRS: * or RRS: url or RRS: iframe or RRS: script And when the browser do a POST it will send one of these (if the server sent a RRS header) ... RRS: url or RRS: iframe or RRS: script RRS is short for "Report Request Source/Reported Request Source". "url" indicate that the request source was a form on the page of the requested url. "iframe" indicate that the request source was from within a iframe on the page of the requested url. "script" indicate that the request source was from a script (via xhr) on the page of the requested url. If a server (or server script) is only expecting a POST from the page but get a RRS result of iframe or script then this could be logged and reported to the server security supervisor for review. The server sending "RSS: *" indicate that the request should be allowed but reported (might be nice for debugging as well). If it is "RSS: url" then any requests from a iframe or a script would be denied/blocked by the browser (blocking two methods of making a POST) Now if there exist another way to achieve the same and I just haven't found it I'd appreciate if someone pointed me in the right direction. I'm also a bit unsure what working group (pun intended) a suggestion should be directed to if this does not exist yet. -- Roger Hågensen, Freelancer, http://skuldwyrm.no/
Received on Tuesday, 1 November 2016 09:42:41 UTC