[Owncloud] Cross-site request forgery protection
Sven Radde
sven at fsfe.org
Sat Jun 30 07:43:59 UTC 2012
Hi!
Am 30.06.2012 01:36, schrieb Florian Hülsmann:
> Would it be possible to do CSRF protection without requiring the browser
> to send the referer header??
Yes, it is possible.
The general approaches center around the concept of transmitting a token
value in a hidden form field. The token cannot be predicted by an attacker.
It is also necessary.
There are quite some scenarios that mangle the Referer header, such as
privacy addons, anti-virus software, proxy servers, or HTTPS trickeries.
My personal favorite example is a referer sent as "blockeriert by Norton
$something" which showed up regularly in my website logs in the past.
cu, Sven
More information about the Owncloud
mailing list