DEV Community

Discussion on: Defense Against the Dark Arts: CSRF Attacks

rtfeldman profile image
Richard Feldman Author

It looks like the Origin/Referer check would have prevented these though, yeah? (I think these are the Flash hacks that OWASP warned about.)

nv1t profile image

If you are able to set referer/origin, the check would be useless. The only thing why the check works: you can't set certain headers without a preflight because of CORS restriction.

BUT: you are right. This particular bug does not affect the referer/origin check, because some headers are blacklistet in flash.
Just wanted to display, that it happened before and planing a fail in a security system, because of another software is never a good idea.

So implementing one solution (token), instead of a solution which could break, and one solid one, is more cost effective.
Tokens are implemented in nearly every framework. Using them are most of the time the easier option.

But i like your writing, and that you supply all the information :)