On 11/01/2016 02:42 AM, Roger Hågensen wrote:
I was wondering how can a server or script identify if a request is from
page, iframe or xhr?
Doing this would not prevent any XSS attacks, but it would allow a
server/server-side script to detect a potential XSS attack.
I could not find any mention of any reliable way to do this currently.
Here is an example of this idea, when the browser fetches the page the
server sends this as a response header to the browser...
RRS: *
or
RRS: url
or
RRS: iframe
or
RRS: script
And when the browser do a POST it will send one of these (if the server
sent a RRS header) ...
Any server admin that trusts a header sent by a client for security
purposes is a fool. They lie, and any browser extension or plugin can
influence what headers are sent and what they contain.
The only thing you really can do with POST is set a single use CSRF
token that the browser must include with the POST data.
If the browser does not send the token or sends an incorrect/expired
token for the session ID then the server rejects the post (I send a 403
forbidden)
