Johannes wrote:
On Wed, Oct 01, 2008 at 09:33:09PM +0000, corvid wrote:
Justus wrote:
Johannes Hofmann wrote:
Perhaps we should be more careful when to send out a cookie. What about not sending cookies with image requests, if the host of the image url is different from the one in the main page? What do other browser do about this?
Yes, I think this is the way to go. One need to decide when to send out authentication credentials (legitimate session) and when to strip them (CSRF attempt). Martin Johns and I developed a firefox extension [0] that does exactly this. Please see [1] pages 29 - 37 or [2] for more information. [1] is also a pretty good introduction to CSRF. Please note that the browser independent proxy solution is deprecated (but should work unless the twisted framework changed its api too much) and the firefox extension is somewhat unmaintained at the moment...
Having done some reading now: So for an HTTP redirect or an image request, A->B, I gather up the cookies that I would send when asking for B and discard those that I would not send if I were asking for A?
Sounds good. In which cases this will not discard all cookies?
Well... if we had two johannes.de cookies and one had the Secure attribute, then if http://johannes.de redirected to https://johannes.de, we'd send one cookie, even though the server will probably expect both, and it's not an uncommon sort of redirect, so it might be bad. But at undergraduates.uni-johannes.de, I lean toward not wanting to trust the requester more than I am really forced to. For that matter, I think the rules let you make cookies for a domain as wide as .uni-johannes.de ..or .co.uk... I don't know. Maybe what cookies do is fundamentally a hard problem, but sometimes it feels like they were quickly hacked together without much concern for anything. Or perhaps the controlling bodies had ad revenue in mind more than anything else.