[Owasp-leaders] CSRF in XHR

Craig Younkins craig.younkins at owasp.org
Mon Jun 28 12:02:25 EDT 2010


This documentation snippet is in the context of CSRF "middleware" that
checks CSRF tokens on POST requests:

"The middleware tries to be smart about requests that come in via AJAX. Most
modern JavaScript toolkits send an "X-Requested-With: XMLHttpRequest" HTTP
header; these requests are detected and automatically *not* handled by this
middleware. We can do this safely because, in the context of a browser, the
header can only be added by usingXMLHttpRequest, and browsers already
implement a same-domain policy for XMLHttpRequest.

For the more recent browsers that relax this same-domain policy, custom
headers like "X-Requested-With" are only allowed after the browser has done
a 'preflight' check to the server to see if the cross-domain request is
allowed, using a strictly 'opt in' mechanism, so the exception for AJAX is
still safe—if the developer has specifically opted in to allowing cross-site
AJAX POST requests on a specific URL, they obviously don't want the
middleware to disallow exactly that."


Basically, anything with the "X-Requested-With: XMLHttpRequest" HTTP header
is not checked for CSRF.


What does anyone think about this? It seems a little sketchy to be trusting
the browser, but at the same time I cannot poke a hole in it. Is there a way
to set the X-Requested-With header in the browser other than XHR?


I was unfamiliar with what is referenced as the relaxed cross-domain policy
in more recent browsers.
Here<http://ejohn.org/blog/cross-site-xmlhttprequest/>'s
a post by John Resig, author of jQuery, on XHR in Firefox 3. It's not clear
to me the security implications.


Thanks!

Craig Younkins
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20100628/5fea78f1/attachment.html 


More information about the OWASP-Leaders mailing list