On Sat, Jun 13, 2009 at 5:39 AM, Tyler Close<tyler.cl...@gmail.com> wrote: > On Fri, Jun 12, 2009 at 10:36 PM, Adam Barth<w...@adambarth.com> wrote: >> Suppose GuestXHR doesn't send an Origin header for any requests and a >> server uses the algorithm in draft-abarth-origin to mitigate CSRF >> attacks. Now, an attacker can mount a CSRF attack against the server. > > Could you provide a bit more detail here? I don't understand how an > attacker could mount a CSRF attack using GuestXHR, if there are no > user credentials in a GuestXHR request.
For example, GuestXHR could be used to mount a login CSRF attack. Alternatively, if the server is using IP-based authenication, it could be used to mount a CSRF attack (e.g., inflate the bill at the ACM digital library, which uses IP-based authentication). > It seems to me that Origin is only about telling a server how to treat > user credentials attached to a request. The Origin-as-CSRF-defense is about giving the server advice on when to change state. Oftentimes user credentials are also involved in this decision, but that's not necessary. Adam