Devdatta wrote:
I agree. It seems anti-csrf (as currently defined) would be most beneficial
for defending against CSRF attacks that don't require any user action beyond
simply viewing the page (e.g., <img src="attack">).
Form actions would perhaps require some additional constraints, such as only
allowing submission to |self| or other whitelisted URIs.
I don't understand. In each of the cases above, the attacker site will
not enable the directives and img requests or form requests from his
page will cause a CSRF to occur.
For image CSRF, some protection would be required against redirection.
Either redirection must be disallowed, or anti-csrf needs to be enforced
for all redirections until the resource is located. But I'm not sure if
the latter is going to work if CSP policies are not composeable, and any
of the redirections or the image itself defines a CSP policy.
Form requests to attacker.com would presumably be blocked, as
attacker.com isn't in |self| nor the whitelist. So the attacker won't
be able to direct the user to a page without anti-csrf protection using
forms. But again this requires some enforcement of the whitelist during
any redirects.
Any ideas for how best to address the redirect problem?
Mike
_______________________________________________
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security
