[WEB SECURITY] prevent CSRF with origin header
tiagomendo at gmail.com
Sun Mar 24 10:39:27 EDT 2013
The OWASP CSRF prevention cheat sheet (https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet) mentions the origin header as a method to prevent CSRF.
But isn't this method vulnerable to the same problem that affected Rails some time ago, which was based on a malicious flash with a 307 redirect that in some circumstances would allow cross-domain custom header?
More information about the websecurity