[WEB SECURITY] prevent CSRF with origin header
oxdef at oxdef.info
Sun Mar 31 12:52:44 EDT 2013
BTW, what's about browser's support of Origin header? FF/Chrome/Opera/IE?
On Sunday 24 March 2013 18:39 Tiago Mendo wrote:
> The OWASP CSRF prevention cheat sheet
> vention_Cheat_Sheet) mentions the origin header as a method to prevent
> But isn't this method vulnerable to the same problem that affected Rails
> some time ago, which was based on a malicious flash with a 307 redirect
> that in some circumstances would allow cross-domain custom header?
> Tiago Mendo
More information about the websecurity