20061224

Browser protection from xsrf

I've been noodling over ways that browsers can reduce the threat of XSRF, and unfortunately, shy of forcing the user to make a decision, or removing existing functionality, I can't think of a really good way. Here are some thoughts on the matter:

  • Disallow img, script, rel, object, etc. requests to a different domain than the page itself. Most browsers used to have options for this, but there are so many ad-driven sites, that it's not really practical to implement. Nor is it practical to force the user to make a decision about what to do there.
  • Disallow POST via Javascript. This would break a bunch of existing apps.
  • When a request (GET or POST) is being made "automagically", request user verification, including the form data that's being sent.
  • This is ugly, ugly, ugly, but use a flag on a cookie that identifies it as a session cookie. If this flag is set, then a site that is not in that cookie scope that initiates a request that would also send that cookie either doesn't send the cookie, or disallows the transaction, or asks the user. App developers can work around this by just setting the flag. Ad servers can make sure they're still tracking users (for right or for wrong) by just NOT setting the flag.

0 comments: