[WEB SECURITY] prevent CSRF with origin header

Taras oxdef at oxdef.info
Sun Mar 31 12:52:44 EDT 2013


Hi,

BTW, what's about browser's support of Origin header? FF/Chrome/Opera/IE?

On Sunday 24 March 2013 18:39 Tiago Mendo wrote:
> Hi,
> 
> The OWASP CSRF prevention cheat sheet
> (https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Pre
> vention_Cheat_Sheet) mentions the origin header as a method to prevent
> CSRF.
> 
> But isn't this method vulnerable to the same problem that affected Rails
> some time ago, which was based on a malicious flash with a 307 redirect
> that in some circumstances would allow cross-domain custom header?
> 
> 
> thanks
> 
> Tiago Mendo


-- 
Taras
http://oxdef.info
GPG: C8D1F510




More information about the websecurity mailing list