User:Mtl
Contents
Overview
This document defines the CSRFModule, which contains the cross-site request forgery mitigations. The CSRFModule lets web developers mitigate CSRF attacks by disabling unneeded functionality used by attackers to mount CSRF attacks.
Dependencies
This module depends on the BaseModule.
Threat Model
The CSRFModule seeks to help web developers reduce the severity of cross-site request forgery vulnerabilities in web sites. In particular, the CSRFModule is concerned with defending against an attacker with the following abilities:
- The attacker can inject a sequence of bytes into a target web page.
- The attacker can cause the user to visit the target web page.
We further assume the web developer wishes to prevent the attacker from achieving the following goals:
- The attacker causes the user's browser, upon rendering the target web page, to send fraudulent HTTP requests on the user's behalf.
We assume that the browser properly implements the same-origin policy and does not contain any privilege escalation vulnerabilities.
Syntax
The CSRFModule introduces the following directive:
directive = "anti-csrf"
Semantics
This section describes the semantics of the directive introduced in the CSRFModule.
anti-csrf
The anti-csrf directive is designed to be a first line of defense against CSRF attacks. If the CSP policy contains the anti-csrf directive, the directive has the following effects:
- When the user agent submits any HTTP request in context of the document with enabled CSP anti-csrf directive, where such request is classified as one of:
- external resource load (e.g., img src, link href, script src, iframe src, etc.),
- link activation,
- form action,
- For all other HTTP requests in context of the document with enabled CSP anti-csrf directive, the Cookie request header SHALL NOT be included in the request.
The anti-csrf directive protects websites against CSRF attacks by preventing authorization tokens stored in cookies from being sent in different-origin HTTP requests. Without anti-csrf, the attacker is able to cause the user agent to submit fraudulent requests to websites where the user has an active, authenticated browsing session.
The anti-csrf directive DOES NOT protect a website against CSRF attacks against itself (where itself is defined as the set of self URIs). Nor does anti-csrf protect against CSRF for such websites that authorize HTTP requests by some mechanism other than Cookie request headers (e.g., implicit authorization based on requester's IP address). However, anti-csrf DOES enable a website to protect its users from being victimized by attacks originating from said website, targeted at certain other websites the user has a relationship with.
Documents that enable anti-csrf must not depend on external resources that are only accessible via Cookie authenticated HTTP request.
Examples
TODO: Add some examples.
Open Issues
This section contains a list of open issues.
- The list of HTTP requests where Cookie header is allowed to be sent must be exhaustive.
- The CSP policy should be allowed to contain URI that are excepted from anti-csrf restrictions.