Versions Compared

Old Version 6

changes.mady.by.user Christopher Zimmermann

Saved on

compared with

New Version 7

changes.mady.by.user Christopher Zimmermann

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Referer checking should work against known exploits if written correctly. The three major four downsides i see are:

  • It requires that the browser sends the referer header. Some users and companies consider this to be a privacy issue - (and potentially security issue) as the referer header contains information about the browsers history - and could have sensitive information in the form of querystring. So they may currently have browser or company proxy to strip header. Of course we could say its a requirement, but customers could take affront at that (see https://bugs.launchpad.net/launchpad/+bug/560246) Privacy is a hot topic.
    • There is a new html5 meta tag to configure if the referer is sent or not.
  • I think we can cover the known problems with request checking, but new browser vulnerabilities could come out (flash or other plugins) that create a hole.
  • We do have to be careful to implement the referer checking properly.
  • AdditionallyMore of an image then a technical thing: On the interwebs everyone always recommends using the token approach. Its the accepted, transparent approach. People may be confused or doubtful if you implement a different approach. (See https://www.google.com/webhp?ie=UTF-8#q=csrf+referer+)

...