Security/CSP/CSRFModule: Difference between revisions

Jump to navigation Jump to search

Security/CSP/CSRFModule (view source)

Revision as of 16:54, 22 October 2009

3 bytes removed ,  22 October 2009
→‎anti-csrf
Line 49: Line 49:
The <tt>anti-csrf</tt> directive DOES NOT protect a website against CSRF attacks against itself (where <i>itself</i> is defined as the set of <tt>self</tt> URIs).  Nor does <tt>anti-csrf</tt> protect against CSRF for such websites that authorize HTTP requests by some mechanism other than <tt>Cookie</tt> request headers (e.g., implicit authorization based on requester's IP address).  However, <tt>anti-csrf</tt> DOES enable a website to protect its users from being victimized by attacks originating from said website, targeted at certain other websites the user has a relationship with.
The <tt>anti-csrf</tt> directive DOES NOT protect a website against CSRF attacks against itself (where <i>itself</i> is defined as the set of <tt>self</tt> URIs).  Nor does <tt>anti-csrf</tt> protect against CSRF for such websites that authorize HTTP requests by some mechanism other than <tt>Cookie</tt> request headers (e.g., implicit authorization based on requester's IP address).  However, <tt>anti-csrf</tt> DOES enable a website to protect its users from being victimized by attacks originating from said website, targeted at certain other websites the user has a relationship with.


<b>Documents that enable <tt>anti-csrf</tt> must not depend on external resources that are only accessible via <tt>Cookie</tt> authenticated HTTP request.</b>
<b>Documents that enable <tt>anti-csrf</tt> must not depend on external resources that are only accessible via <tt>Cookie</tt>-authorized HTTP request.</b>


= Examples  =
= Examples  =
Mtl
35

edits

Retrieved from "https://wiki.mozilla.org/Special:MobileDiff/177747"

Navigation menu