[Owncloud] Cross-site request forgery protection

Romain DEP. rom1dep at gmail.com
Mon Jun 11 11:05:30 UTC 2012


On 11/06/2012 11:52, Frank Karlitschek wrote:
> On 11.06.2012, at 05:15, Matthew Dawson <matthew at mjdsystems.ca> wrote:
>
>> On June 10, 2012 09:44:24 PM Florian RĂ¼chel wrote:
>>> Hi Frank,
>>>
>>> I thought about CSRF protection and the general idea already stands. We
>>> should now figure out how we want to have it implemented and then I will
>>> start working on it.

Hi !
I'm not a security specialist, but I recently realized that owncloud 
uses the referer sent by the brower in order to deal with this CSRF 
issue. For some browser this can prevent the user to login in some 
particular cases (Private Browsing, or with some security-enforcement 
addons).
So because everything is being discussed now, and because anyway the 
referer can be spoofed, is it really relevant to use it as a way to 
secure owncloud ?

Romain.



More information about the Owncloud mailing list