Open Bug 322301 (csrf) Opened 19 years ago Updated 25 days ago

[meta] Ideas for mitigating CSRF holes in web sites

Categories

(Core :: Networking: HTTP, enhancement, P3)

enhancement

Tracking

()

People

(Reporter: jruderman, Unassigned)

References

(Depends on 4 open bugs)

Details

(Keywords: meta, Whiteboard: [necko-backlog])

 
Alias: csrf
Depends on: 38933, 40132
Assignee: chofmann → nobody
Depends on: 371598
Depends on: 371657
Depends on: 354493
Depends on: 370583
Depends on: 324397
Depends on: 158463
Depends on: 446344
Depends on: 448611
Depends on: clickjacking
Depends on: 604265
Depends on: 375238
How about a cookie parameter that allows the HTTP client to send the cookie only under certain conditions, e.g. only for specific referers?
You'd have to change the HTTP protocol and get web server software to support it. Still, it's kind of an obvious solution, and it's better than keeping this bug open for another at least 8 years.

Currently, this is how cookies are created:

Set-Cookie: SSID=xyz; Domain=example.com; Path=/~joe

Change this to:

Set-Cookie: SSID=xyz; Domain=example.com; Path=/~joe; Referer=http://example.com/~joe

Now the web browser would be required to send the cookie if some form on http://example.com/~joe POSTs to a script on that site. It must not send that cookie if the user follows an external link to the site. This could be even more restrictive:

Set-Cookie: SSID=xyz; Domain=example.com; Path=/~joe; Referer=http://example.com/~joe; Method=POST


Advantages:
 - Simple
 - Effective
 - Fairly simple to get to work with non-supporting browsers or web servers
Jesse, I'm clearing out the "Tracking" component in bugzilla in preparation to archive it. Can you suggest whether this tracking bug is still useful and if so, which component/team it should belong to? I've made a perhaps-terrible guess.
Component: Tracking → Networking: HTTP
Flags: needinfo?(jruderman)
Whiteboard: [necko-backlog]
Bulk change to priority: https://bugzilla.mozilla.org/show_bug.cgi?id=1399258
Priority: -- → P1
Bulk change to priority: https://bugzilla.mozilla.org/show_bug.cgi?id=1399258
Priority: P1 → P3
Depends on: 1424076
Severity: normal → S3

Clear a needinfo that is pending on an inactive user.

Inactive users most likely will not respond; if the missing information is essential and cannot be collected another way, the bug maybe should be closed as INCOMPLETE.

For more information, please visit BugBot documentation.

Flags: needinfo?(jruderman)
You need to log in before you can comment on or make changes to this bug.