Hide
It occurred to me that there is another way of providing protection against CSRF attacks. I don't propose to implement anything now, but this might be worth considering.
There are several ways to "forge" a request in a CSRF attack: iframe, script tag, XHR, image tag, scripted window.open etc.
Of these only 2 will allow you to construct a POST request: iframe+form and XHR.
XHR can't be used for CSRF attacks because the cross-domain rule is applied *before* the request is sent rather than when the result is read.
On the other hand iframe+form can not send arbitrary POST data in the way that XHR can.
So it might be possible to have a super secure mode that mandated non form-formatted POST data. XHR can't be used for CSRF, so mandating POST rules out all but iframe, and mandating non form-formatted rules out all this vector too.
This mode would break iframe remoting, which in turn breaks IE6 without ActiveX. But some people might consider that to be worth it.
Show
It occurred to me that there is another way of providing protection against CSRF attacks. I don't propose to implement anything now, but this might be worth considering.
There are several ways to "forge" a request in a CSRF attack: iframe, script tag, XHR, image tag, scripted window.open etc.
Of these only 2 will allow you to construct a POST request: iframe+form and XHR.
XHR can't be used for CSRF attacks because the cross-domain rule is applied *before* the request is sent rather than when the result is read.
On the other hand iframe+form can not send arbitrary POST data in the way that XHR can.
So it might be possible to have a super secure mode that mandated non form-formatted POST data. XHR can't be used for CSRF, so mandating POST rules out all but iframe, and mandating non form-formatted rules out all this vector too.
This mode would break iframe remoting, which in turn breaks IE6 without ActiveX. But some people might consider that to be worth it.
New Feature
Open
Minor