DEV Community

loading...

Discussion on: Defense Against the Dark Arts: CSRF Attacks

Collapse
rtfeldman profile image
Richard Feldman Author

It looks like the Origin/Referer check would have prevented these though, yeah? (I think these are the Flash hacks that OWASP warned about.)

Collapse
nv1t profile image
nuit

If you are able to set referer/origin, the check would be useless. The only thing why the check works: you can't set certain headers without a preflight because of CORS restriction.

BUT: you are right. This particular bug does not affect the referer/origin check, because some headers are blacklistet in flash.
Just wanted to display, that it happened before and planing a fail in a security system, because of another software is never a good idea.

So implementing one solution (token), instead of a solution which could break, and one solid one, is more cost effective.
Tokens are implemented in nearly every framework. Using them are most of the time the easier option.

But i like your writing, and that you supply all the information :)