<center id="eyouk"></center>
<optgroup id="eyouk"><div id="eyouk"></div></optgroup> <rt id="eyouk"></rt>
<center id="eyouk"></center>
<noscript id="eyouk"></noscript><center id="eyouk"><tr id="eyouk"></tr></center>
<center id="eyouk"><wbr id="eyouk"></wbr></center><optgroup id="eyouk"></optgroup>

SameOriginOnly

Web security is horribly broken. No news there. Some time ago I proposed SameRefererOnly as a potential solution to the problems of CSRF. This is a quick update in what's happening with the proposal.

Recap: I think we could adapt an idea like HttpOnly to tackle CSRF - The original idea was to have a "SameRefererOnly" marker for cookies. It would be an indication that a cookie should only be sent to a Site when the referring domain matches the destination domain.

As a result of this paper on Login CSRF, it seems that several browser manufacturers would like to implement the Origin: header. The Origin header is very similar to the Referer header, except that it does not contain the full URL. Referer checking is no use against CSRF attacks because many proxies remove it for privacy reasons, and an attacker can force it's removal by redirecting through an FTP URL (see the paper for details). So both default deny and default allow are broken.

Whilst the Origin header does help, I'm not convinced that it is a complete solution. Firstly it depends on privacy concerns being all about the path of a URL and not the domain. I'm not convinced that's correct. Secondly it still requires action (i.e. Origin header checking) on the part of the server.

So I still believe that the original idea makes sense, however in deference to the obvious (semi-deliberate) spelling mistake, and a growing belief that 'Origin is the new Referer', I'm now calling it SameOriginOnly, otherwise the basic ideas are the same as they were originally.

Mark Goodwin has created a FireFox plugin that allows Firefox to obey the principles behind SameOriginOnly, and I've done a very quick hack on Jetty that allows it to emit cookies marked SameOriginOnly when you ask it for an HttpOnly cookie. Both are a work in progress.

Comments

Comments have been turned off on old posts

四川快乐12一定牛
<center id="eyouk"></center>
<optgroup id="eyouk"><div id="eyouk"></div></optgroup> <rt id="eyouk"></rt>
<center id="eyouk"></center>
<noscript id="eyouk"></noscript><center id="eyouk"><tr id="eyouk"></tr></center>
<center id="eyouk"><wbr id="eyouk"></wbr></center><optgroup id="eyouk"></optgroup>
<center id="eyouk"></center>
<optgroup id="eyouk"><div id="eyouk"></div></optgroup> <rt id="eyouk"></rt>
<center id="eyouk"></center>
<noscript id="eyouk"></noscript><center id="eyouk"><tr id="eyouk"></tr></center>
<center id="eyouk"><wbr id="eyouk"></wbr></center><optgroup id="eyouk"></optgroup>
pk10历史开奖号码 天天捕鱼网络手机 时时彩0369多少期不出 球探数据大师app苹果 沙巴体育官网 云南时时详情 福建体彩36选7号码预测 时时彩后一分析软件 福彩3d独胆计划三天必出 500元倍投方案稳赚