Changes between Version 5 and Version 6 of CsrfProtection


Ignore:
Timestamp:
Jun 30, 2009, 5:13:19 AM (15 years ago)
Author:
Luke Plant
Comment:

--

Legend:

Unmodified
Added
Removed
Modified

  • CsrfProtection

    v5 v6  
    134134 * for HTTPS connections, adding strict Referer checking closes the other vulnerabilities opened up by the change from 'HMAC of session identifier' to 'session independent nonce' (i.e.  CSRF + MITM under HTTPS)
    135135
     136
     137= Further work =
     138
     139 * Could examine use of Origin header for CSRF protection, in addition to this. 
     140   * It's usefulness will really depend on whether browsers implement it, and how quickly - we won't be able to rely on it for a long time.
     141   * Note that if we simply compare Origin and Host, we are still vulnerable to DNS rebinding attacks.  It would be better to use a setting that listed allowable values of Host.  (Or provide that as another middleware? If a request has the wrong Host value, should it automatically be assumed to be CSRF or suspicious?)
Back to Top