[WEB SECURITY] prevent CSRF with origin header
jim at manico.net
Sun Mar 31 12:59:20 EDT 2013
I manage the cheat sheet series for OWASP.
I'm looking for a volunteer to fully rewrite the CSRF Cheatsheet. It
needs a major refresh. If anyone is interested, please drop me a line.
On Apr 1, 2013, at 12:53 AM, Taras <oxdef at oxdef.info> wrote:
> BTW, what's about browser's support of Origin header? FF/Chrome/Opera/IE?
> On Sunday 24 March 2013 18:39 Tiago Mendo wrote:
>> The OWASP CSRF prevention cheat sheet
>> vention_Cheat_Sheet) mentions the origin header as a method to prevent
>> But isn't this method vulnerable to the same problem that affected Rails
>> some time ago, which was based on a malicious flash with a 307 redirect
>> that in some circumstances would allow cross-domain custom header?
>> Tiago Mendo
> GPG: C8D1F510
> The Web Security Mailing List
> WebSecurity RSS Feed
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
> WASC on Twitter
> websecurity at lists.webappsec.org
More information about the websecurity