On 11/01/2016 02:42 AM, Roger Hågensen wrote:
I was wondering how can a server or script identify if a request is from
page, iframe or xhr?

Doing this would not prevent any XSS attacks, but it would allow a
server/server-side script to detect a potential XSS attack.

I could not find any mention of any reliable way to do this currently.

Here is an example of this idea, when the browser fetches the page the
server sends this as a response header to the browser...

RRS: *


RRS: url


RRS: iframe


RRS: script

And when the browser do a POST it will send one of these (if the server
sent a RRS header) ...

Any server admin that trusts a header sent by a client for security purposes is a fool. They lie, and any browser extension or plugin can influence what headers are sent and what they contain.

The only thing you really can do with POST is set a single use CSRF token that the browser must include with the POST data.

If the browser does not send the token or sends an incorrect/expired token for the session ID then the server rejects the post (I send a 403 forbidden)

Reply via email to