API for cross site request forgery defense

XMLWordPrintable

    • Type: New Feature
    • Resolution: Applied
    • Priority: Major
    • V1.1
    • Affects Version/s: Browser Binding Proposal
    • Component/s: Browser Binding
    • None
    • Hide

      Proposal details:
      V0 http://www.oasis-open.org/committees/download.php/41394/cmis-csrf-proposal.doc.
      V1 http://www.oasis-open.org/committees/download.php/41612/cmis-csrf-proposal.doc

      Questions we discussed in the meeting:

      Do all PUT and POST endpoints, including the AtomPub binding, need to be protected? No – as Florian put it, that is a theoretical risk. It applies only within web browser and browser-based apps are unlikely to use AtomPub when the browser binding is available.

      Do GET endpoints need to be protected? No, browser controls either prevent cross-site GET entirely or prevent JavaScript from inspecting the response.
      "JavaScript hijacking" attacks need more research – they may be an exception to this rule.

      Show
      Proposal details: V0 http://www.oasis-open.org/committees/download.php/41394/cmis-csrf-proposal.doc . V1 http://www.oasis-open.org/committees/download.php/41612/cmis-csrf-proposal.doc Questions we discussed in the meeting: Do all PUT and POST endpoints, including the AtomPub binding, need to be protected? No – as Florian put it, that is a theoretical risk. It applies only within web browser and browser-based apps are unlikely to use AtomPub when the browser binding is available. Do GET endpoints need to be protected? No, browser controls either prevent cross-site GET entirely or prevent JavaScript from inspecting the response. "JavaScript hijacking" attacks need more research – they may be an exception to this rule.

      We discussed this topic in the meeting on March 7. By supporting a form post endpoint, the browser binding introduces potential vulnerability to cross-site request forgery attacks (http://en.wikipedia.org/wiki/Csrf). We should provide for some common defenses in the browser binding API.

            Assignee:
            Florian Müller (Inactive)
            Reporter:
            Scott Malabarba (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

              Created:
              Updated:
              Resolved: