[Owasp-leaders] CSRF in XHR

Craig Younkins craig.younkins at owasp.org
Mon Jun 28 12:02:25 EDT 2010

This documentation snippet is in the context of CSRF "middleware" that
checks CSRF tokens on POST requests:

"The middleware tries to be smart about requests that come in via AJAX. Most
modern JavaScript toolkits send an "X-Requested-With: XMLHttpRequest" HTTP
header; these requests are detected and automatically *not* handled by this
middleware. We can do this safely because, in the context of a browser, the
header can only be added by usingXMLHttpRequest, and browsers already
implement a same-domain policy for XMLHttpRequest.

For the more recent browsers that relax this same-domain policy, custom
headers like "X-Requested-With" are only allowed after the browser has done
a 'preflight' check to the server to see if the cross-domain request is
allowed, using a strictly 'opt in' mechanism, so the exception for AJAX is
still safe—if the developer has specifically opted in to allowing cross-site
AJAX POST requests on a specific URL, they obviously don't want the
middleware to disallow exactly that."

Basically, anything with the "X-Requested-With: XMLHttpRequest" HTTP header
is not checked for CSRF.

What does anyone think about this? It seems a little sketchy to be trusting
the browser, but at the same time I cannot poke a hole in it. Is there a way
to set the X-Requested-With header in the browser other than XHR?

I was unfamiliar with what is referenced as the relaxed cross-domain policy
in more recent browsers.
a post by John Resig, author of jQuery, on XHR in Firefox 3. It's not clear
to me the security implications.


Craig Younkins
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20100628/5fea78f1/attachment.html 

More information about the OWASP-Leaders mailing list