Implement Origin header CSRF mitigation
Categories
(Core :: Networking: HTTP, enhancement, P5)
Tracking
()
Tracking | Status | |
---|---|---|
firefox59 | --- | fixed |
People
(Reporter: mozilla, Assigned: francois)
References
(Blocks 3 open bugs, )
Details
(Keywords: dev-doc-complete, sec-want, site-compat, Whiteboard: [sg:want][necko-would-take][adv-main59-])
Attachments
(1 file, 6 obsolete files)
Comment 1•16 years ago
|
||
Comment 2•16 years ago
|
||
Updated•16 years ago
|
Comment 3•16 years ago
|
||
Comment 4•16 years ago
|
||
Comment 6•16 years ago
|
||
Comment 7•16 years ago
|
||
Comment 9•16 years ago
|
||
Comment 11•16 years ago
|
||
Comment 12•16 years ago
|
||
Comment 13•16 years ago
|
||
Comment 14•16 years ago
|
||
Comment 15•16 years ago
|
||
Comment 16•16 years ago
|
||
Comment 17•16 years ago
|
||
Comment 18•16 years ago
|
||
Comment 19•16 years ago
|
||
Comment 20•16 years ago
|
||
Comment 22•16 years ago
|
||
Comment 23•16 years ago
|
||
Comment 24•16 years ago
|
||
Comment 25•16 years ago
|
||
Comment 27•16 years ago
|
||
Comment 28•16 years ago
|
||
Updated•16 years ago
|
Updated•16 years ago
|
Reporter | ||
Comment 30•16 years ago
|
||
Comment 32•16 years ago
|
||
Updated•16 years ago
|
Updated•16 years ago
|
Comment 34•16 years ago
|
||
Comment 36•16 years ago
|
||
Comment 38•16 years ago
|
||
Comment 40•16 years ago
|
||
Updated•16 years ago
|
Comment 41•16 years ago
|
||
Comment 42•16 years ago
|
||
Comment 43•16 years ago
|
||
Comment 44•15 years ago
|
||
Updated•15 years ago
|
Comment 45•14 years ago
|
||
Comment 46•14 years ago
|
||
Comment 47•12 years ago
|
||
Updated•12 years ago
|
Comment 49•12 years ago
|
||
Comment 50•12 years ago
|
||
Comment 52•11 years ago
|
||
Comment 53•11 years ago
|
||
Comment 55•10 years ago
|
||
Comment 56•10 years ago
|
||
Comment 57•10 years ago
|
||
Comment 58•10 years ago
|
||
Updated•10 years ago
|
Comment 59•10 years ago
|
||
Comment 60•10 years ago
|
||
Updated•10 years ago
|
Comment 61•10 years ago
|
||
Comment 62•10 years ago
|
||
Comment 63•10 years ago
|
||
Comment 64•10 years ago
|
||
Comment 65•10 years ago
|
||
Comment 66•9 years ago
|
||
Updated•9 years ago
|
Comment 67•8 years ago
|
||
Comment 68•8 years ago
|
||
Updated•8 years ago
|
Comment 69•8 years ago
|
||
Comment 70•8 years ago
|
||
Comment 71•8 years ago
|
||
Comment 72•8 years ago
|
||
Assignee | ||
Updated•8 years ago
|
Comment 73•8 years ago
|
||
Comment 74•8 years ago
|
||
Assignee | ||
Comment 75•8 years ago
|
||
Comment 76•8 years ago
|
||
Assignee | ||
Comment 77•8 years ago
|
||
Comment 78•8 years ago
|
||
Comment 79•8 years ago
|
||
Comment 80•8 years ago
|
||
Comment 81•8 years ago
|
||
Assignee | ||
Comment 82•8 years ago
|
||
Comment 83•7 years ago
|
||
Comment 84•7 years ago
|
||
Assignee | ||
Comment 85•7 years ago
|
||
Comment 86•7 years ago
|
||
Comment 87•7 years ago
|
||
Comment 88•7 years ago
|
||
Comment 89•7 years ago
|
||
Comment 90•7 years ago
|
||
Comment hidden (mozreview-request) |
Assignee | ||
Comment 92•7 years ago
|
||
Comment 93•7 years ago
|
||
mozreview-review |
Comment 94•7 years ago
|
||
mozreview-review |
Comment hidden (mozreview-request) |
Assignee | ||
Comment 96•7 years ago
|
||
mozreview-review-reply |
Comment 97•7 years ago
|
||
Comment 98•7 years ago
|
||
mozreview-review |
Assignee | ||
Comment 99•7 years ago
|
||
mozreview-review-reply |
Comment hidden (mozreview-request) |
Comment 101•7 years ago
|
||
mozreview-review |
Comment hidden (mozreview-request) |
Comment 103•7 years ago
|
||
mozreview-review |
Comment hidden (mozreview-request) |
Comment 105•7 years ago
|
||
mozreview-review |
Assignee | ||
Comment 106•7 years ago
|
||
Comment hidden (mozreview-request) |
Assignee | ||
Comment 108•7 years ago
|
||
Comment 109•7 years ago
|
||
Comment 110•7 years ago
|
||
bugherder |
Comment 111•7 years ago
|
||
Assignee | ||
Comment 112•7 years ago
|
||
Comment 113•7 years ago
|
||
Assignee | ||
Comment 114•7 years ago
|
||
Comment 115•7 years ago
|
||
Assignee | ||
Comment 116•7 years ago
|
||
Comment 117•7 years ago
|
||
Updated•7 years ago
|
Comment hidden (advocacy) |
Comment 119•6 years ago
|
||
Comment 120•6 years ago
|
||
Updated•6 years ago
|
Comment 121•6 years ago
|
||
Updated•6 years ago
|
Comment 122•5 years ago
|
||
I'm not sure I understand why the Origin header is not set for <form method="POST"> when the action is in another domain? This seems like the basic CSRF attack to me (furthermore if the submit button of the form can be clicked by javascript). If I do this on "attacker.com":
<form action="https://victim.com" method="POST">...<button type="submit">poof</button></form>
<script>document.querySelector('button').click()</script>
Then we do have a CORS request that has no Origin and we're totally allowing CSRF?! Chrome do send the Origin header in such case, why wouldn't we?
Firefox don't send that header tho even with network.http.sendOriginHeader
preference set to 1
so it seems this header will never be sent with <form> submissions?
Comment 123•5 years ago
|
||
Then we do have a CORS request that has no Origin
It's not a CORS request, fwiw. Not all cross-origin requests are CORS requests.
That said, code inspection says we should be sending an Origin header in that situation, in Firefox 70 (current nightly) and newer, per bug 1424076.
Firefox don't send that header tho even with
network.http.sendOriginHeader
preference set to 1
You want to set it to 2
to send cross-site. Thats' the value of the pref on nightly.
Comment 124•5 years ago
|
||
Oh, I did not know this network.http.sendOriginHeader
option had other values. Indeed, 2 sends the Origin
on such <form>
submission.
And you're right, that's not "CORS". I'll wait for the FF70 release then, thanks for the clarifications.
Comment 125•5 years ago
|
||
Sounds good. For what it's worth, the preference is documented at https://searchfox.org/mozilla-central/rev/4436573fa3d5c4311822090e188504c10c916c6f/modules/libpref/init/all.js#1553-1555
Description
•