<center id="eyouk"></center>
<optgroup id="eyouk"><div id="eyouk"></div></optgroup> <rt id="eyouk"></rt>
<center id="eyouk"></center>
<noscript id="eyouk"></noscript><center id="eyouk"><tr id="eyouk"></tr></center>
<center id="eyouk"><wbr id="eyouk"></wbr></center><optgroup id="eyouk"></optgroup>

CSRF Protection

It occurred to me that there is another way of providing protection against CSRF attacks, in addition to the ones already mentioned on Wikipedia.

There are several ways to forge a request in a CSRF attack: iframe, script tag, image tag, scripted window.open() etc. As far as I know XHR is not one of these, because cross-domain rules kick in before the request is sent and not when the reply is read.

Both iframe and XHR will allow you to construct POST requests, the other attack mechanisms are restricted to GET only. With the iframe method, you use some DOM scripting to create a form that points to an iframe. This implies that only form-formatted data can be sent over an iframe POST request.

So in the Ajax world, it might be possible to have a CSRF-safe application that works simply by insisting on POST, and denying anything that is application/x-www-form-urlencoded. Clearly this technique won't work for non Ajax requests because it requires the browser to use XHR.

Obviously this is a fairly advanced technique, but it might be useful for anyone writing an Ajax library like for example DWR. I should see if I can't find a DWR tech-lead around here somewhere.

Anyone any clues on whether this might help as part of a defence in depth policy?

Comments

Comments have been turned off on old posts

四川快乐12一定牛
<center id="eyouk"></center>
<optgroup id="eyouk"><div id="eyouk"></div></optgroup> <rt id="eyouk"></rt>
<center id="eyouk"></center>
<noscript id="eyouk"></noscript><center id="eyouk"><tr id="eyouk"></tr></center>
<center id="eyouk"><wbr id="eyouk"></wbr></center><optgroup id="eyouk"></optgroup>
<center id="eyouk"></center>
<optgroup id="eyouk"><div id="eyouk"></div></optgroup> <rt id="eyouk"></rt>
<center id="eyouk"></center>
<noscript id="eyouk"></noscript><center id="eyouk"><tr id="eyouk"></tr></center>
<center id="eyouk"><wbr id="eyouk"></wbr></center><optgroup id="eyouk"></optgroup>
白光麻将 广东时时11选五计划软件下载 幸运28外围 河北时时现场开奖 七乐彩开奖号码走势图 pc蛋蛋幸运28预测 云南十一选五开奖走 中彩网安徽快3 体彩幸运赛车开奖结果查询 北京快三全天计划