Security/CSP/CSRFModule

From MozillaWiki
< Security‎ | CSP
Jump to: navigation, search

Overview

This document defines the CSRFModule, which contains the cross-site request forgery mitigations. The CSRFModule lets web developers mitigate CSRF attacks by disabling unneeded functionality used by attackers to mount CSRF attacks.

Dependencies

This module depends on BaseModule.

Threat Model

The CSRFModule seeks to help web developers reduce the severity of cross-site request forgery vulnerabilities in web sites. In particular, the CSRFModule is concerned with defending against an attacker with the following abilities:

  • The attacker can inject a sequence of bytes into a target web page.
  • The attacker can cause the user to visit the target web page.

We further assume the web developer wishes to prevent the attacker from achieving the following goals:

  • The attacker causes the user's browser, upon rendering the target web page, to send fraudulent HTTP requests on the user's behalf.

We assume that the browser properly implements the same-origin policy and does not contain any privilege escalation vulnerabilities.

Syntax

The CSRFModule introduces the following directive: 

directive               = "anti-csrf" / "cookieless-images"

Semantics

This section describes the semantics of the directive introduced in the CSRFModule.

anti-csrf

The anti-csrf directive is designed to be a first line of defense against CSRF attacks. If the CSP policy contains the anti-csrf directive, the directive has the following effects:

  1. When the user agent submits any HTTP request in context of the document with enabled CSP anti-csrf directive, where such request is classified as one of:
    1. external resource load (e.g., <img src=…>, <link href=…>, <script src=…>, <iframe src=…>, etc.),
    2. link activation,
    3. form action,
    the HTTP request SHALL include a Cookie request header ONLY when the requested URI is contained in the self set of URIs. This is a NECESSARY condition for including a Cookie request header. Other NECESSARY and SUFFICIENT conditions for including a Cookie request header are outside the scope of CSRFModule.
  2. For all other HTTP requests in context of the document with enabled CSP anti-csrf directive, the Cookie request header SHALL NOT be included in the request.

The anti-csrf directive protects websites against CSRF attacks by preventing authorization tokens stored in cookies from being sent in different-origin HTTP requests. Without anti-csrf, the attacker is able to cause the user agent to submit fraudulent requests to websites where the user has an active, authenticated browsing session.

The anti-csrf directive DOES NOT protect a website against CSRF attacks against itself (where itself is defined as the set of self URIs). Nor does anti-csrf protect against CSRF for such websites that authorize HTTP requests by some mechanism other than Cookie request headers (e.g., implicit authorization based on requester's IP address). However, anti-csrf DOES enable a website to protect its users from being victimized by attacks originating from said website, targeted at certain other websites the user has a relationship with.

Documents that enable anti-csrf must not depend on external resources that are only accessible via Cookie-authorized HTTP request.

cookieless-images

TODO: Affects all images, regardless of where they are loaded from. Cookies are also disallowed over all redirects encountered while locating the image.

Examples

TODO: Add some examples.

Open Issues

This section contains a list of open issues.

  • Any policy governing the sending of cookies to URIs other than self requires enforcement of the policy over all HTTP redirects encountered while loading the URI. (Presumably self is in control of its redirects.) Enforcement of CSP policies over redirects may be in conflict with BaseModule, if BaseModule defines CSP policies to be non-composeable, and any redirect or the resource declares a CSP policy.
  • The attacker could bypass the defense by hyperlinking to attacker.com, which isn't using CSP, and then submit the CSRF request from there.
    • To address this threat, form submission should only be allowed to self URIs when anti-csrf is enabled (the allowed set of URIs should be made extensible by other policy declarations).
    • Link activations are still vulnerable to this attack, however.
  • The anti-csrf list of HTTP requests where Cookie header is allowed to be sent must be exhaustive.
  • The CSP policy should be allowed to contain URI that are excepted from anti-csrf restrictions.
Retrieved from "https://wiki.mozilla.org/index.php?title=Security/CSP/CSRFModule&oldid=177780"