On Sat, Jun 13, 2009 at 12:20 PM, Tyler Close<[email protected]> wrote: > On Sat, Jun 13, 2009 at 10:23 AM, Adam Barth<[email protected]> wrote: >> Alternatively, if the server is using IP-based authenication, it could >> be used to mount a CSRF attack (e.g., inflate the bill at the ACM >> digital library, which uses IP-based authentication). > > Since such servers aren't currently looking for the Origin header, > adding the header still won't protect them. I'm also not sure they > would block on the header if they did know about it. If they think > IP-based authentication is good enough, are they really going to > reject a request with "Origin: null"?
If they did, I could deflate my bill by submitting my own requests with the "Origin: null" header using curl. ;) --Tyler -- "Waterken News: Capability security on the Web" http://waterken.sourceforge.net/recent.html
