Hi All,
The Access-Control spec [1] adds an 'Origin' header that is submitted
with all requests. I propose that we specify that form POSTs should do
the same. This would be a very powerful mechanism to prevent CSRF
attacks as it would allow CSRF prevention to happen in the server,
rather
Adam Barth, John Mitchell, and I have written an academic paper in
support of the Origin header as a CSRF defense:
http://crypto.stanford.edu/websec/csrf/
On Wed, Jul 9, 2008 at 6:59 PM, Jonas Sicking [EMAIL PROTECTED] wrote:
Hi All,
The Access-Control spec [1] adds an 'Origin' header that is