Tuesday, August 7th, 2007
Joe Walker has spoked about adding SameRefererOnly to the cookie spec.
I think we could adapt an idea like HttpOnly to tackle CSRF – I’d like to see a “SameRefererOnly” marker for cookies.
SameRefererOnly is an indication that a cookie should only be sent to a Site when the referring domain is the same as the destination domain.
A number of people have commented that you could use server based referer checking to fix CSRF, however that doesn’t work for 2 reasons, firstly sometimes referers are not sent, and secondly using old versions of Flash, you can forge referer headers anyway.
However if we move the checking into the browser, then we should be able to instruct browsers to be more careful what they do without our cookies.
In other security news, Christian Matthies has explained DNS Pinning which includes pretty pictures:
Posted by Dion Almaer at 12:26 pm