Changes between Version 3 and Version 4 of CsrfProtection


Ignore:
Timestamp:
05/12/2009 07:05:55 AM (6 years ago)
Author:
lukeplant
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • CsrfProtection

    v3 v4  
    109109 4. Cross sub-domain CSRF: '''protected'''
    110110 5. Cross sub-domain login CSRF: '''protected'''
    111  6. Cross sub-domain session fixing: '''not protected'' (out of scope)
     111 6. Cross sub-domain session fixing: '''not protected''' (out of scope)
    112112
    113113The big problem with strict Referer checking is that the Referer header is suppressed by some browsers and by some networks.  However, Barth et al have shown that for same-domain HTTPS requests, this is as little as 0.05% - 0.22%, and recommend that this method can be used for HTTPS connections.  Since HTTPS connections cannot be tampered with (apart from in some rare internal-network-with-proxy situations), suppression of the Referer header can only be done by the browser, so if a user is having problems due to use of this method, they can simply be instructed to configure their browser differently or use a different browser.
Back to Top