Thursday, February 8th, 2007
Joe Walker has an idea for CSRF protection. Will it work?
There are several ways to forge a request in a CSRF attack: iframe, script tag, image tag, scripted window.open() etc. As far as I know XHR is not one of these, because cross-domain rules kick in before the request is sent and not when the reply is read.
Both iframe and XHR will allow you to construct POST requests, the other attack mechanisms are restricted to GET only. With the iframe method, you use some DOM scripting to create a form that points to an iframe. This implies that only form-formatted data can be sent over an iframe POST request.
So in the Ajax world, it might be possible to have a CSRF-safe application that works simply by insisting on POST, and denying anything that is
application/x-www-form-urlencoded. Clearly this technique won’t work for non Ajax requests because it requires the browser to use XHR.
Posted by Dion Almaer at 10:00 am