Open
Bug 322301
(csrf)
Opened 19 years ago
Updated 1 year ago
[meta] Ideas for mitigating CSRF holes in web sites
Categories
(Core :: Networking: HTTP, enhancement, P3)
Core
Networking: HTTP
Tracking
()
NEW
People
(Reporter: jruderman, Unassigned)
References
(Depends on 4 open bugs)
Details
(Keywords: meta, Whiteboard: [necko-backlog])
|
Reporter | |
Updated•19 years ago
|
Alias: csrf
|
|
Reporter | |
Updated•19 years ago
|
|
|
Reporter | |
Updated•19 years ago
|
Assignee: chofmann → nobody
|
|
Reporter | |
Updated•15 years ago
|
Depends on: clickjacking
|
||
Comment 1•11 years ago
|
||
How about a cookie parameter that allows the HTTP client to send the cookie only under certain conditions, e.g. only for specific referers?
You'd have to change the HTTP protocol and get web server software to support it. Still, it's kind of an obvious solution, and it's better than keeping this bug open for another at least 8 years.
Currently, this is how cookies are created:
Set-Cookie: SSID=xyz; Domain=example.com; Path=/~joe
Change this to:
Set-Cookie: SSID=xyz; Domain=example.com; Path=/~joe; Referer=http://example.com/~joe
Now the web browser would be required to send the cookie if some form on http://example.com/~joe POSTs to a script on that site. It must not send that cookie if the user follows an external link to the site. This could be even more restrictive:
Set-Cookie: SSID=xyz; Domain=example.com; Path=/~joe; Referer=http://example.com/~joe; Method=POST
Advantages:
- Simple
- Effective
- Fairly simple to get to work with non-supporting browsers or web servers
|
||
Comment 2•9 years ago
|
||
Jesse, I'm clearing out the "Tracking" component in bugzilla in preparation to archive it. Can you suggest whether this tracking bug is still useful and if so, which component/team it should belong to? I've made a perhaps-terrible guess.
Component: Tracking → Networking: HTTP
Flags: needinfo?(jruderman)
|
|
||
Updated•9 years ago
|
Whiteboard: [necko-backlog]
|
||
Comment 3•8 years ago
|
||
Bulk change to priority: https://bugzilla.mozilla.org/show_bug.cgi?id=1399258
Priority: -- → P1
|
|
||
Comment 4•8 years ago
|
||
Bulk change to priority: https://bugzilla.mozilla.org/show_bug.cgi?id=1399258
Priority: P1 → P3
|
||
Updated•3 years ago
|
Severity: normal → S3
|
||
Comment 5•2 years ago
|
||
Clear a needinfo that is pending on an inactive user.
Inactive users most likely will not respond; if the missing information is essential and cannot be collected another way, the bug maybe should be closed as INCOMPLETE.
For more information, please visit BugBot documentation.
Flags: needinfo?(jruderman)
|
||
Updated•1 year ago
|
See Also: → local-network-access
You need to log in
before you can comment on or make changes to this bug.
Description
•