[Owncloud] Cross-site request forgery protection
Romain DEP.
rom1dep at gmail.com
Mon Jun 11 11:05:30 UTC 2012
On 11/06/2012 11:52, Frank Karlitschek wrote:
> On 11.06.2012, at 05:15, Matthew Dawson <matthew at mjdsystems.ca> wrote:
>
>> On June 10, 2012 09:44:24 PM Florian RĂ¼chel wrote:
>>> Hi Frank,
>>>
>>> I thought about CSRF protection and the general idea already stands. We
>>> should now figure out how we want to have it implemented and then I will
>>> start working on it.
Hi !
I'm not a security specialist, but I recently realized that owncloud
uses the referer sent by the brower in order to deal with this CSRF
issue. For some browser this can prevent the user to login in some
particular cases (Private Browsing, or with some security-enforcement
addons).
So because everything is being discussed now, and because anyway the
referer can be spoofed, is it really relevant to use it as a way to
secure owncloud ?
Romain.
More information about the Owncloud
mailing list