I wrote:
Johannes wrote:
On Wed, Oct 01, 2008 at 09:33:09PM +0000, corvid wrote:
Justus wrote:
Johannes Hofmann wrote:
Perhaps we should be more careful when to send out a cookie. What about not sending cookies with image requests, if the host of the image url is different from the one in the main page? What do other browser do about this?
Yes, I think this is the way to go. One need to decide when to send out authentication credentials (legitimate session) and when to strip them (CSRF attempt). Martin Johns and I developed a firefox extension [0] that does exactly this. Please see [1] pages 29 - 37 or [2] for more information. [1] is also a pretty good introduction to CSRF. Please note that the browser independent proxy solution is deprecated (but should work unless the twisted framework changed its api too much) and the firefox extension is somewhat unmaintained at the moment...
Having done some reading now: So for an HTTP redirect or an image request, A->B, I gather up the cookies that I would send when asking for B and discard those that I would not send if I were asking for A?
Sounds good. In which cases this will not discard all cookies?
I should also mention that it does have the virtue of being easy to implement, so it wouldn't take much to be able to try it out. RFC 2965 mentioned not accepting the cookies that you get back from an untrusted request either, which is an interesting thought.