[Owasp-leaders] CSRF in XHR
craig.younkins at owasp.org
Mon Jun 28 12:02:25 EDT 2010
This documentation snippet is in the context of CSRF "middleware" that
checks CSRF tokens on POST requests:
"The middleware tries to be smart about requests that come in via AJAX. Most
header; these requests are detected and automatically *not* handled by this
middleware. We can do this safely because, in the context of a browser, the
header can only be added by usingXMLHttpRequest, and browsers already
implement a same-domain policy for XMLHttpRequest.
For the more recent browsers that relax this same-domain policy, custom
headers like "X-Requested-With" are only allowed after the browser has done
a 'preflight' check to the server to see if the cross-domain request is
allowed, using a strictly 'opt in' mechanism, so the exception for AJAX is
still safe—if the developer has specifically opted in to allowing cross-site
AJAX POST requests on a specific URL, they obviously don't want the
middleware to disallow exactly that."
Basically, anything with the "X-Requested-With: XMLHttpRequest" HTTP header
is not checked for CSRF.
What does anyone think about this? It seems a little sketchy to be trusting
the browser, but at the same time I cannot poke a hole in it. Is there a way
to set the X-Requested-With header in the browser other than XHR?
I was unfamiliar with what is referenced as the relaxed cross-domain policy
in more recent browsers.
a post by John Resig, author of jQuery, on XHR in Firefox 3. It's not clear
to me the security implications.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OWASP-Leaders