Open
Bug 322301
(csrf)
Opened 19 years ago
Updated 25 days ago
[meta] Ideas for mitigating CSRF holes in web sites
Categories
(Core :: Networking: HTTP, enhancement, P3)
Core
Networking: HTTP
Tracking
()
NEW
People
(Reporter: jruderman, Unassigned)
References
(Depends on 4 open bugs)
Details
(Keywords: meta, Whiteboard: [necko-backlog])
Reporter | ||
Updated•19 years ago
|
Alias: csrf
Reporter | ||
Updated•19 years ago
|
Reporter | ||
Updated•19 years ago
|
Assignee: chofmann → nobody
Reporter | ||
Updated•14 years ago
|
Depends on: clickjacking
Comment 1•10 years ago
|
||
How about a cookie parameter that allows the HTTP client to send the cookie only under certain conditions, e.g. only for specific referers? You'd have to change the HTTP protocol and get web server software to support it. Still, it's kind of an obvious solution, and it's better than keeping this bug open for another at least 8 years. Currently, this is how cookies are created: Set-Cookie: SSID=xyz; Domain=example.com; Path=/~joe Change this to: Set-Cookie: SSID=xyz; Domain=example.com; Path=/~joe; Referer=http://example.com/~joe Now the web browser would be required to send the cookie if some form on http://example.com/~joe POSTs to a script on that site. It must not send that cookie if the user follows an external link to the site. This could be even more restrictive: Set-Cookie: SSID=xyz; Domain=example.com; Path=/~joe; Referer=http://example.com/~joe; Method=POST Advantages: - Simple - Effective - Fairly simple to get to work with non-supporting browsers or web servers
Comment 2•8 years ago
|
||
Jesse, I'm clearing out the "Tracking" component in bugzilla in preparation to archive it. Can you suggest whether this tracking bug is still useful and if so, which component/team it should belong to? I've made a perhaps-terrible guess.
Component: Tracking → Networking: HTTP
Flags: needinfo?(jruderman)
Updated•8 years ago
|
Whiteboard: [necko-backlog]
Comment 3•7 years ago
|
||
Bulk change to priority: https://bugzilla.mozilla.org/show_bug.cgi?id=1399258
Priority: -- → P1
Comment 4•7 years ago
|
||
Bulk change to priority: https://bugzilla.mozilla.org/show_bug.cgi?id=1399258
Priority: P1 → P3
Updated•2 years ago
|
Severity: normal → S3
Comment 5•6 months ago
|
||
Clear a needinfo that is pending on an inactive user.
Inactive users most likely will not respond; if the missing information is essential and cannot be collected another way, the bug maybe should be closed as INCOMPLETE
.
For more information, please visit BugBot documentation.
Flags: needinfo?(jruderman)
Updated•25 days ago
|
See Also: → private-network-access
You need to log in
before you can comment on or make changes to this bug.
Description
•