[WEB SECURITY] prevent CSRF with origin header

Tiago Mendo tiagomendo at gmail.com
Sun Mar 24 10:39:27 EDT 2013


The OWASP CSRF prevention cheat sheet (https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet) mentions the origin header as a method to prevent CSRF.

But isn't this method vulnerable to the same problem that affected Rails some time ago, which was based on a malicious flash with a 307 redirect that in some circumstances would allow cross-domain custom header? 


Tiago Mendo

More information about the websecurity mailing list