Page History
...
Referer checking should work against known exploits if written correctly. The three major four downsides i see are:
- It requires that the browser sends the referer header. Some users and companies consider this to be a privacy issue - (and potentially security issue) as the referer header contains information about the browsers history - and could have sensitive information in the form of querystring. So they may currently have browser or company proxy to strip header. Of course we could say its a requirement, but customers could take affront at that (see https://bugs.launchpad.net/launchpad/+bug/560246) Privacy is a hot topic.
- There is a new html5 meta tag to configure if the referer is sent or not.
- I think we can cover the known problems with request checking, but new browser vulnerabilities could come out (flash or other plugins) that create a hole.
- We do have to be careful to implement the referer checking properly.
- AdditionallyMore of an image then a technical thing: On the interwebs everyone always recommends using the token approach. Its the accepted, transparent approach. People may be confused or doubtful if you implement a different approach. (See https://www.google.com/webhp?ie=UTF-8#q=csrf+referer+)
...
Overview
Content Tools