W3C home > Mailing lists > Public > whatwg@whatwg.org > November 2016

Re: [whatwg] How can a server or serverside script identify if a request is from a page, iframe or xhr?

From: Michael A. Peters <mpeters@domblogger.net>
Date: Tue, 1 Nov 2016 03:26:26 -0700
To: whatwg@lists.whatwg.org
Message-ID: <2b6d9c8f-65bb-eda6-fa3a-a6c2b4d7f085@domblogger.net>
On 11/01/2016 02:42 AM, Roger H├ągensen wrote:
> I was wondering how can a server or script identify if a request is from
> page, iframe or xhr?
>
> Doing this would not prevent any XSS attacks, but it would allow a
> server/server-side script to detect a potential XSS attack.
>
> I could not find any mention of any reliable way to do this currently.
>
> Here is an example of this idea, when the browser fetches the page the
> server sends this as a response header to the browser...
>
> RRS: *
>
> or
>
> RRS: url
>
> or
>
> RRS: iframe
>
> or
>
> RRS: script
>
> And when the browser do a POST it will send one of these (if the server
> sent a RRS header) ...
>

Any server admin that trusts a header sent by a client for security 
purposes is a fool. They lie, and any browser extension or plugin can 
influence what headers are sent and what they contain.

The only thing you really can do with POST is set a single use CSRF 
token that the browser must include with the POST data.

If the browser does not send the token or sends an incorrect/expired 
token for the session ID then the server rejects the post (I send a 403 
forbidden)
Received on Tuesday, 1 November 2016 10:27:00 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 November 2016 10:27:01 UTC