[WEB SECURITY] prevent CSRF with origin header

Taras oxdef at oxdef.info
Sun Mar 31 12:52:44 EDT 2013


BTW, what's about browser's support of Origin header? FF/Chrome/Opera/IE?

On Sunday 24 March 2013 18:39 Tiago Mendo wrote:
> Hi,
> The OWASP CSRF prevention cheat sheet
> (https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Pre
> vention_Cheat_Sheet) mentions the origin header as a method to prevent
> But isn't this method vulnerable to the same problem that affected Rails
> some time ago, which was based on a malicious flash with a 307 redirect
> that in some circumstances would allow cross-domain custom header?
> thanks
> Tiago Mendo

GPG: C8D1F510

More information about the websecurity mailing list