https://wiki.mozilla.org/api.php?action=feedcontributions&feedformat=atom&user=MtlMozillaWiki - User contributions [en]2026-05-02T19:31:45ZUser contributionsMediaWiki 1.39.10https://wiki.mozilla.org/index.php?title=Security/CSP/CSRFModule&diff=177780Security/CSP/CSRFModule2009-10-22T18:06:17Z<p>Mtl: /* anti-csrf */</p>
<hr />
<div>= Overview =<br />
<br />
This document defines the CSRFModule, which contains the cross-site request forgery mitigations.<br />
The CSRFModule lets web developers mitigate CSRF attacks by disabling unneeded functionality used by attackers to mount CSRF attacks.<br />
<br />
= Dependencies =<br />
<br />
This module depends on [[Security/CSP/BaseModule|BaseModule]].<br />
<br />
= Threat Model =<br />
<br />
The CSRFModule seeks to help web developers reduce the severity of [http://en.wikipedia.org/wiki/Cross-site_request_forgery cross-site request forgery] vulnerabilities in web sites. In particular, the CSRFModule is concerned with defending against an attacker with the following abilities: <br />
<br />
*The attacker can inject a sequence of bytes into a target web page. <br />
*The attacker can cause the user to visit the target web page.<br />
<br />
We further assume the web developer wishes to prevent the attacker from achieving the following goals: <br />
<br />
*The attacker causes the user's browser, upon rendering the target web page, to send fraudulent HTTP requests on the user's behalf.<br />
<br />
We assume that the browser properly implements the same-origin policy and does not contain any privilege escalation vulnerabilities.<br />
<br />
= Syntax =<br />
<br />
The CSRFModule introduces the following directive: <br />
<pre>directive = "anti-csrf" / "cookieless-images"</pre><br />
<br />
= Semantics =<br />
<br />
This section describes the semantics of the directive introduced in the CSRFModule.<br />
<br />
== <tt>anti-csrf</tt> ==<br />
<br />
The <tt>anti-csrf</tt> directive is designed to be a first line of defense against CSRF attacks. If the CSP policy contains the <tt>anti-csrf</tt> directive, the directive has the following effects: <br />
<br />
<ol><br />
<li>When the user agent submits any HTTP request in context of the document with enabled CSP <tt>anti-csrf</tt> directive, where such request is classified as one of:<br />
<ol style="list-style-type:lower-alpha"><br />
<li>external resource load (e.g., <tt>&lt;img src=&hellip;&gt;</tt>, <tt>&lt;link href=&hellip;&gt;</tt>, <tt>&lt;script src=&hellip;&gt;</tt>, <tt>&lt;iframe src=&hellip;&gt;</tt>, etc.),</li><br />
<li>link activation,</li><br />
<li>form action,</li><br />
</ol><br />
the HTTP request SHALL include a <tt>Cookie</tt> request header ONLY when the requested URI is contained in the [[Security/CSP/BaseModule#Semantics|<tt>self</tt>]] set of URIs. This is a NECESSARY condition for including a <tt>Cookie</tt> request header. Other NECESSARY and SUFFICIENT conditions for including a <tt>Cookie</tt> request header are outside the scope of CSRFModule.</li><br />
<li>For all other HTTP requests in context of the document with enabled CSP <tt>anti-csrf</tt> directive, the <tt>Cookie</tt> request header SHALL NOT be included in the request.</li><br />
</ol><br />
<br />
The <tt>anti-csrf</tt> directive protects websites against CSRF attacks by preventing authorization tokens stored in cookies from being sent in different-origin HTTP requests. Without <tt>anti-csrf</tt>, the attacker is able to cause the user agent to submit fraudulent requests to websites where the user has an active, authenticated browsing session.<br />
<br />
The <tt>anti-csrf</tt> directive DOES NOT protect a website against CSRF attacks against itself (where <i>itself</i> is defined as the set of <tt>self</tt> URIs). Nor does <tt>anti-csrf</tt> protect against CSRF for such websites that authorize HTTP requests by some mechanism other than <tt>Cookie</tt> request headers (e.g., implicit authorization based on requester's IP address). However, <tt>anti-csrf</tt> DOES enable a website to protect its users from being victimized by attacks originating from said website, targeted at certain other websites the user has a relationship with.<br />
<br />
<b>Documents that enable <tt>anti-csrf</tt> must not depend on external resources that are only accessible via <tt>Cookie</tt>-authorized HTTP request.</b><br />
<br />
== <tt>cookieless-images</tt> ==<br />
<br />
TODO: Affects all images, regardless of where they are loaded from. Cookies are also disallowed over all redirects encountered while locating the image.<br />
<br />
= Examples =<br />
<br />
TODO: Add some examples.<br />
<br />
= Open Issues =<br />
<br />
This section contains a list of open issues. <br />
<br />
*Any policy governing the sending of cookies to URIs other than <tt>self</tt> requires enforcement of the policy over all HTTP redirects encountered while loading the URI. (Presumably <tt>self</tt> is in control of its redirects.) Enforcement of CSP policies over redirects may be in conflict with [[Security/CSP/BaseModule|BaseModule]], if BaseModule defines CSP policies to be non-composeable, and any redirect or the resource declares a CSP policy.<br />
*The attacker could bypass the defense by hyperlinking to attacker.com, which isn't using CSP, and then submit the CSRF request from there.<br />
**To address this threat, form submission should only be allowed to <tt>self</tt> URIs when <tt>anti-csrf</tt> is enabled (the allowed set of URIs should be made extensible by other policy declarations).<br />
**Link activations are still vulnerable to this attack, however.<br />
*The <tt>anti-csrf</tt> list of HTTP requests where <tt>Cookie</tt> header is allowed to be sent must be exhaustive.<br />
*The CSP policy should be allowed to contain URI that are excepted from <tt>anti-csrf</tt> restrictions.</div>Mtlhttps://wiki.mozilla.org/index.php?title=Security/CSP/CSRFModule&diff=177774Security/CSP/CSRFModule2009-10-22T17:58:30Z<p>Mtl: /* cookieless-images */</p>
<hr />
<div>= Overview =<br />
<br />
This document defines the CSRFModule, which contains the cross-site request forgery mitigations.<br />
The CSRFModule lets web developers mitigate CSRF attacks by disabling unneeded functionality used by attackers to mount CSRF attacks.<br />
<br />
= Dependencies =<br />
<br />
This module depends on [[Security/CSP/BaseModule|BaseModule]].<br />
<br />
= Threat Model =<br />
<br />
The CSRFModule seeks to help web developers reduce the severity of [http://en.wikipedia.org/wiki/Cross-site_request_forgery cross-site request forgery] vulnerabilities in web sites. In particular, the CSRFModule is concerned with defending against an attacker with the following abilities: <br />
<br />
*The attacker can inject a sequence of bytes into a target web page. <br />
*The attacker can cause the user to visit the target web page.<br />
<br />
We further assume the web developer wishes to prevent the attacker from achieving the following goals: <br />
<br />
*The attacker causes the user's browser, upon rendering the target web page, to send fraudulent HTTP requests on the user's behalf.<br />
<br />
We assume that the browser properly implements the same-origin policy and does not contain any privilege escalation vulnerabilities.<br />
<br />
= Syntax =<br />
<br />
The CSRFModule introduces the following directive: <br />
<pre>directive = "anti-csrf" / "cookieless-images"</pre><br />
<br />
= Semantics =<br />
<br />
This section describes the semantics of the directive introduced in the CSRFModule.<br />
<br />
== <tt>anti-csrf</tt> ==<br />
<br />
The <tt>anti-csrf</tt> directive is designed to be a first line of defense against CSRF attacks. If the CSP policy contains the <tt>anti-csrf</tt> directive, the directive has the following effects: <br />
<br />
<ol><br />
<li>When the user agent submits any HTTP request in context of the document with enabled CSP <tt>anti-csrf</tt> directive, where such request is classified as one of:<br />
<ol style="list-style-type:lower-alpha"><br />
<li>external resource load (e.g., <tt>img src</tt>, <tt>link href</tt>, <tt>script src</tt>, <tt>iframe src</tt>, etc.),</li><br />
<li>link activation,</li><br />
<li>form action,</li><br />
</ol><br />
the HTTP request SHALL include a <tt>Cookie</tt> request header ONLY when the requested URI is contained in the [[Security/CSP/BaseModule#Semantics|<tt>self</tt>]] set of URIs. This is a NECESSARY condition for including a <tt>Cookie</tt> request header. Other NECESSARY and SUFFICIENT conditions for including a <tt>Cookie</tt> request header are outside the scope of CSRFModule.</li><br />
<li>For all other HTTP requests in context of the document with enabled CSP <tt>anti-csrf</tt> directive, the <tt>Cookie</tt> request header SHALL NOT be included in the request.</li><br />
</ol><br />
<br />
The <tt>anti-csrf</tt> directive protects websites against CSRF attacks by preventing authorization tokens stored in cookies from being sent in different-origin HTTP requests. Without <tt>anti-csrf</tt>, the attacker is able to cause the user agent to submit fraudulent requests to websites where the user has an active, authenticated browsing session.<br />
<br />
The <tt>anti-csrf</tt> directive DOES NOT protect a website against CSRF attacks against itself (where <i>itself</i> is defined as the set of <tt>self</tt> URIs). Nor does <tt>anti-csrf</tt> protect against CSRF for such websites that authorize HTTP requests by some mechanism other than <tt>Cookie</tt> request headers (e.g., implicit authorization based on requester's IP address). However, <tt>anti-csrf</tt> DOES enable a website to protect its users from being victimized by attacks originating from said website, targeted at certain other websites the user has a relationship with.<br />
<br />
<b>Documents that enable <tt>anti-csrf</tt> must not depend on external resources that are only accessible via <tt>Cookie</tt>-authorized HTTP request.</b><br />
<br />
== <tt>cookieless-images</tt> ==<br />
<br />
TODO: Affects all images, regardless of where they are loaded from. Cookies are also disallowed over all redirects encountered while locating the image.<br />
<br />
= Examples =<br />
<br />
TODO: Add some examples.<br />
<br />
= Open Issues =<br />
<br />
This section contains a list of open issues. <br />
<br />
*Any policy governing the sending of cookies to URIs other than <tt>self</tt> requires enforcement of the policy over all HTTP redirects encountered while loading the URI. (Presumably <tt>self</tt> is in control of its redirects.) Enforcement of CSP policies over redirects may be in conflict with [[Security/CSP/BaseModule|BaseModule]], if BaseModule defines CSP policies to be non-composeable, and any redirect or the resource declares a CSP policy.<br />
*The attacker could bypass the defense by hyperlinking to attacker.com, which isn't using CSP, and then submit the CSRF request from there.<br />
**To address this threat, form submission should only be allowed to <tt>self</tt> URIs when <tt>anti-csrf</tt> is enabled (the allowed set of URIs should be made extensible by other policy declarations).<br />
**Link activations are still vulnerable to this attack, however.<br />
*The <tt>anti-csrf</tt> list of HTTP requests where <tt>Cookie</tt> header is allowed to be sent must be exhaustive.<br />
*The CSP policy should be allowed to contain URI that are excepted from <tt>anti-csrf</tt> restrictions.</div>Mtlhttps://wiki.mozilla.org/index.php?title=Security/CSP/CSRFModule&diff=177773Security/CSP/CSRFModule2009-10-22T17:55:46Z<p>Mtl: /* Open Issues */</p>
<hr />
<div>= Overview =<br />
<br />
This document defines the CSRFModule, which contains the cross-site request forgery mitigations.<br />
The CSRFModule lets web developers mitigate CSRF attacks by disabling unneeded functionality used by attackers to mount CSRF attacks.<br />
<br />
= Dependencies =<br />
<br />
This module depends on [[Security/CSP/BaseModule|BaseModule]].<br />
<br />
= Threat Model =<br />
<br />
The CSRFModule seeks to help web developers reduce the severity of [http://en.wikipedia.org/wiki/Cross-site_request_forgery cross-site request forgery] vulnerabilities in web sites. In particular, the CSRFModule is concerned with defending against an attacker with the following abilities: <br />
<br />
*The attacker can inject a sequence of bytes into a target web page. <br />
*The attacker can cause the user to visit the target web page.<br />
<br />
We further assume the web developer wishes to prevent the attacker from achieving the following goals: <br />
<br />
*The attacker causes the user's browser, upon rendering the target web page, to send fraudulent HTTP requests on the user's behalf.<br />
<br />
We assume that the browser properly implements the same-origin policy and does not contain any privilege escalation vulnerabilities.<br />
<br />
= Syntax =<br />
<br />
The CSRFModule introduces the following directive: <br />
<pre>directive = "anti-csrf" / "cookieless-images"</pre><br />
<br />
= Semantics =<br />
<br />
This section describes the semantics of the directive introduced in the CSRFModule.<br />
<br />
== <tt>anti-csrf</tt> ==<br />
<br />
The <tt>anti-csrf</tt> directive is designed to be a first line of defense against CSRF attacks. If the CSP policy contains the <tt>anti-csrf</tt> directive, the directive has the following effects: <br />
<br />
<ol><br />
<li>When the user agent submits any HTTP request in context of the document with enabled CSP <tt>anti-csrf</tt> directive, where such request is classified as one of:<br />
<ol style="list-style-type:lower-alpha"><br />
<li>external resource load (e.g., <tt>img src</tt>, <tt>link href</tt>, <tt>script src</tt>, <tt>iframe src</tt>, etc.),</li><br />
<li>link activation,</li><br />
<li>form action,</li><br />
</ol><br />
the HTTP request SHALL include a <tt>Cookie</tt> request header ONLY when the requested URI is contained in the [[Security/CSP/BaseModule#Semantics|<tt>self</tt>]] set of URIs. This is a NECESSARY condition for including a <tt>Cookie</tt> request header. Other NECESSARY and SUFFICIENT conditions for including a <tt>Cookie</tt> request header are outside the scope of CSRFModule.</li><br />
<li>For all other HTTP requests in context of the document with enabled CSP <tt>anti-csrf</tt> directive, the <tt>Cookie</tt> request header SHALL NOT be included in the request.</li><br />
</ol><br />
<br />
The <tt>anti-csrf</tt> directive protects websites against CSRF attacks by preventing authorization tokens stored in cookies from being sent in different-origin HTTP requests. Without <tt>anti-csrf</tt>, the attacker is able to cause the user agent to submit fraudulent requests to websites where the user has an active, authenticated browsing session.<br />
<br />
The <tt>anti-csrf</tt> directive DOES NOT protect a website against CSRF attacks against itself (where <i>itself</i> is defined as the set of <tt>self</tt> URIs). Nor does <tt>anti-csrf</tt> protect against CSRF for such websites that authorize HTTP requests by some mechanism other than <tt>Cookie</tt> request headers (e.g., implicit authorization based on requester's IP address). However, <tt>anti-csrf</tt> DOES enable a website to protect its users from being victimized by attacks originating from said website, targeted at certain other websites the user has a relationship with.<br />
<br />
<b>Documents that enable <tt>anti-csrf</tt> must not depend on external resources that are only accessible via <tt>Cookie</tt>-authorized HTTP request.</b><br />
<br />
== <tt>cookieless-images</tt> ==<br />
<br />
TODO: Affects all images, regardless of where they are loaded from.<br />
<br />
= Examples =<br />
<br />
TODO: Add some examples.<br />
<br />
= Open Issues =<br />
<br />
This section contains a list of open issues. <br />
<br />
*Any policy governing the sending of cookies to URIs other than <tt>self</tt> requires enforcement of the policy over all HTTP redirects encountered while loading the URI. (Presumably <tt>self</tt> is in control of its redirects.) Enforcement of CSP policies over redirects may be in conflict with [[Security/CSP/BaseModule|BaseModule]], if BaseModule defines CSP policies to be non-composeable, and any redirect or the resource declares a CSP policy.<br />
*The attacker could bypass the defense by hyperlinking to attacker.com, which isn't using CSP, and then submit the CSRF request from there.<br />
**To address this threat, form submission should only be allowed to <tt>self</tt> URIs when <tt>anti-csrf</tt> is enabled (the allowed set of URIs should be made extensible by other policy declarations).<br />
**Link activations are still vulnerable to this attack, however.<br />
*The <tt>anti-csrf</tt> list of HTTP requests where <tt>Cookie</tt> header is allowed to be sent must be exhaustive.<br />
*The CSP policy should be allowed to contain URI that are excepted from <tt>anti-csrf</tt> restrictions.</div>Mtlhttps://wiki.mozilla.org/index.php?title=Security/CSP/CSRFModule&diff=177769Security/CSP/CSRFModule2009-10-22T17:51:13Z<p>Mtl: /* Open Issues */</p>
<hr />
<div>= Overview =<br />
<br />
This document defines the CSRFModule, which contains the cross-site request forgery mitigations.<br />
The CSRFModule lets web developers mitigate CSRF attacks by disabling unneeded functionality used by attackers to mount CSRF attacks.<br />
<br />
= Dependencies =<br />
<br />
This module depends on [[Security/CSP/BaseModule|BaseModule]].<br />
<br />
= Threat Model =<br />
<br />
The CSRFModule seeks to help web developers reduce the severity of [http://en.wikipedia.org/wiki/Cross-site_request_forgery cross-site request forgery] vulnerabilities in web sites. In particular, the CSRFModule is concerned with defending against an attacker with the following abilities: <br />
<br />
*The attacker can inject a sequence of bytes into a target web page. <br />
*The attacker can cause the user to visit the target web page.<br />
<br />
We further assume the web developer wishes to prevent the attacker from achieving the following goals: <br />
<br />
*The attacker causes the user's browser, upon rendering the target web page, to send fraudulent HTTP requests on the user's behalf.<br />
<br />
We assume that the browser properly implements the same-origin policy and does not contain any privilege escalation vulnerabilities.<br />
<br />
= Syntax =<br />
<br />
The CSRFModule introduces the following directive: <br />
<pre>directive = "anti-csrf" / "cookieless-images"</pre><br />
<br />
= Semantics =<br />
<br />
This section describes the semantics of the directive introduced in the CSRFModule.<br />
<br />
== <tt>anti-csrf</tt> ==<br />
<br />
The <tt>anti-csrf</tt> directive is designed to be a first line of defense against CSRF attacks. If the CSP policy contains the <tt>anti-csrf</tt> directive, the directive has the following effects: <br />
<br />
<ol><br />
<li>When the user agent submits any HTTP request in context of the document with enabled CSP <tt>anti-csrf</tt> directive, where such request is classified as one of:<br />
<ol style="list-style-type:lower-alpha"><br />
<li>external resource load (e.g., <tt>img src</tt>, <tt>link href</tt>, <tt>script src</tt>, <tt>iframe src</tt>, etc.),</li><br />
<li>link activation,</li><br />
<li>form action,</li><br />
</ol><br />
the HTTP request SHALL include a <tt>Cookie</tt> request header ONLY when the requested URI is contained in the [[Security/CSP/BaseModule#Semantics|<tt>self</tt>]] set of URIs. This is a NECESSARY condition for including a <tt>Cookie</tt> request header. Other NECESSARY and SUFFICIENT conditions for including a <tt>Cookie</tt> request header are outside the scope of CSRFModule.</li><br />
<li>For all other HTTP requests in context of the document with enabled CSP <tt>anti-csrf</tt> directive, the <tt>Cookie</tt> request header SHALL NOT be included in the request.</li><br />
</ol><br />
<br />
The <tt>anti-csrf</tt> directive protects websites against CSRF attacks by preventing authorization tokens stored in cookies from being sent in different-origin HTTP requests. Without <tt>anti-csrf</tt>, the attacker is able to cause the user agent to submit fraudulent requests to websites where the user has an active, authenticated browsing session.<br />
<br />
The <tt>anti-csrf</tt> directive DOES NOT protect a website against CSRF attacks against itself (where <i>itself</i> is defined as the set of <tt>self</tt> URIs). Nor does <tt>anti-csrf</tt> protect against CSRF for such websites that authorize HTTP requests by some mechanism other than <tt>Cookie</tt> request headers (e.g., implicit authorization based on requester's IP address). However, <tt>anti-csrf</tt> DOES enable a website to protect its users from being victimized by attacks originating from said website, targeted at certain other websites the user has a relationship with.<br />
<br />
<b>Documents that enable <tt>anti-csrf</tt> must not depend on external resources that are only accessible via <tt>Cookie</tt>-authorized HTTP request.</b><br />
<br />
== <tt>cookieless-images</tt> ==<br />
<br />
TODO: Affects all images, regardless of where they are loaded from.<br />
<br />
= Examples =<br />
<br />
TODO: Add some examples.<br />
<br />
= Open Issues =<br />
<br />
This section contains a list of open issues. <br />
<br />
*Any policy governing the sending of cookies to URIs other than <tt>self</tt> requires enforcement of the policy over all HTTP redirects encountered while loading the URI. (Presumably <tt>self</tt> is in control of its redirects.) Enforcement of CSP policies over redirects may be in conflict with [[Security/CSP/BaseModule|BaseModule]], if BaseModule defines CSP policies to be non-composeable, and any redirect or the resource declares a CSP policy.<br />
*The attacker could bypass the defense by hyperlinking to attacker.com, which isn't using CSP, and then submit the CSRF request from there.<br />
**To address this threat, form submission should only be allowed to <tt>self</tt> URIs when <tt>anti-csrf</tt> is enabled (the allowed set of URIs should be made extensible by other policy declarations).<br />
**Link activations are still vulnerable to this attack, however.<br />
*The list of HTTP requests where <tt>Cookie</tt> header is allowed to be sent must be exhaustive.<br />
*The CSP policy should be allowed to contain URI that are excepted from <tt>anti-csrf</tt> restrictions.</div>Mtlhttps://wiki.mozilla.org/index.php?title=Security/CSP/CSRFModule&diff=177768Security/CSP/CSRFModule2009-10-22T17:50:07Z<p>Mtl: /* Open Issues */</p>
<hr />
<div>= Overview =<br />
<br />
This document defines the CSRFModule, which contains the cross-site request forgery mitigations.<br />
The CSRFModule lets web developers mitigate CSRF attacks by disabling unneeded functionality used by attackers to mount CSRF attacks.<br />
<br />
= Dependencies =<br />
<br />
This module depends on [[Security/CSP/BaseModule|BaseModule]].<br />
<br />
= Threat Model =<br />
<br />
The CSRFModule seeks to help web developers reduce the severity of [http://en.wikipedia.org/wiki/Cross-site_request_forgery cross-site request forgery] vulnerabilities in web sites. In particular, the CSRFModule is concerned with defending against an attacker with the following abilities: <br />
<br />
*The attacker can inject a sequence of bytes into a target web page. <br />
*The attacker can cause the user to visit the target web page.<br />
<br />
We further assume the web developer wishes to prevent the attacker from achieving the following goals: <br />
<br />
*The attacker causes the user's browser, upon rendering the target web page, to send fraudulent HTTP requests on the user's behalf.<br />
<br />
We assume that the browser properly implements the same-origin policy and does not contain any privilege escalation vulnerabilities.<br />
<br />
= Syntax =<br />
<br />
The CSRFModule introduces the following directive: <br />
<pre>directive = "anti-csrf" / "cookieless-images"</pre><br />
<br />
= Semantics =<br />
<br />
This section describes the semantics of the directive introduced in the CSRFModule.<br />
<br />
== <tt>anti-csrf</tt> ==<br />
<br />
The <tt>anti-csrf</tt> directive is designed to be a first line of defense against CSRF attacks. If the CSP policy contains the <tt>anti-csrf</tt> directive, the directive has the following effects: <br />
<br />
<ol><br />
<li>When the user agent submits any HTTP request in context of the document with enabled CSP <tt>anti-csrf</tt> directive, where such request is classified as one of:<br />
<ol style="list-style-type:lower-alpha"><br />
<li>external resource load (e.g., <tt>img src</tt>, <tt>link href</tt>, <tt>script src</tt>, <tt>iframe src</tt>, etc.),</li><br />
<li>link activation,</li><br />
<li>form action,</li><br />
</ol><br />
the HTTP request SHALL include a <tt>Cookie</tt> request header ONLY when the requested URI is contained in the [[Security/CSP/BaseModule#Semantics|<tt>self</tt>]] set of URIs. This is a NECESSARY condition for including a <tt>Cookie</tt> request header. Other NECESSARY and SUFFICIENT conditions for including a <tt>Cookie</tt> request header are outside the scope of CSRFModule.</li><br />
<li>For all other HTTP requests in context of the document with enabled CSP <tt>anti-csrf</tt> directive, the <tt>Cookie</tt> request header SHALL NOT be included in the request.</li><br />
</ol><br />
<br />
The <tt>anti-csrf</tt> directive protects websites against CSRF attacks by preventing authorization tokens stored in cookies from being sent in different-origin HTTP requests. Without <tt>anti-csrf</tt>, the attacker is able to cause the user agent to submit fraudulent requests to websites where the user has an active, authenticated browsing session.<br />
<br />
The <tt>anti-csrf</tt> directive DOES NOT protect a website against CSRF attacks against itself (where <i>itself</i> is defined as the set of <tt>self</tt> URIs). Nor does <tt>anti-csrf</tt> protect against CSRF for such websites that authorize HTTP requests by some mechanism other than <tt>Cookie</tt> request headers (e.g., implicit authorization based on requester's IP address). However, <tt>anti-csrf</tt> DOES enable a website to protect its users from being victimized by attacks originating from said website, targeted at certain other websites the user has a relationship with.<br />
<br />
<b>Documents that enable <tt>anti-csrf</tt> must not depend on external resources that are only accessible via <tt>Cookie</tt>-authorized HTTP request.</b><br />
<br />
== <tt>cookieless-images</tt> ==<br />
<br />
TODO: Affects all images, regardless of where they are loaded from.<br />
<br />
= Examples =<br />
<br />
TODO: Add some examples.<br />
<br />
= Open Issues =<br />
<br />
This section contains a list of open issues. <br />
<br />
*Any policy governing the sending of cookies to URIs other than <tt>self</tt> requires enforcement of the policy over all HTTP redirects encountered while loading the URI. (Presumably <tt>self</tt> is in control of its redirects.) CSP policy enforcement may be in conflict with [[Security/CSP/BaseModule|BaseModule]], if BaseModule defines CSP policies to be non-composeable, and any redirect or the resource declares a CSP policy.<br />
*The attacker could bypass the defense by hyperlinking to attacker.com, which isn't using CSP, and then submit the CSRF request from there.<br />
**To address this threat, form submission should only be allowed to <tt>self</tt> URIs when <tt>anti-csrf</tt> is enabled (the allowed set of URIs should be made extensible by other policy declarations).<br />
**Link activations are still vulnerable to this attack, however.<br />
*The list of HTTP requests where <tt>Cookie</tt> header is allowed to be sent must be exhaustive.<br />
*The CSP policy should be allowed to contain URI that are excepted from <tt>anti-csrf</tt> restrictions.</div>Mtlhttps://wiki.mozilla.org/index.php?title=Security/CSP/CSRFModule&diff=177765Security/CSP/CSRFModule2009-10-22T17:47:44Z<p>Mtl: </p>
<hr />
<div>= Overview =<br />
<br />
This document defines the CSRFModule, which contains the cross-site request forgery mitigations.<br />
The CSRFModule lets web developers mitigate CSRF attacks by disabling unneeded functionality used by attackers to mount CSRF attacks.<br />
<br />
= Dependencies =<br />
<br />
This module depends on [[Security/CSP/BaseModule|BaseModule]].<br />
<br />
= Threat Model =<br />
<br />
The CSRFModule seeks to help web developers reduce the severity of [http://en.wikipedia.org/wiki/Cross-site_request_forgery cross-site request forgery] vulnerabilities in web sites. In particular, the CSRFModule is concerned with defending against an attacker with the following abilities: <br />
<br />
*The attacker can inject a sequence of bytes into a target web page. <br />
*The attacker can cause the user to visit the target web page.<br />
<br />
We further assume the web developer wishes to prevent the attacker from achieving the following goals: <br />
<br />
*The attacker causes the user's browser, upon rendering the target web page, to send fraudulent HTTP requests on the user's behalf.<br />
<br />
We assume that the browser properly implements the same-origin policy and does not contain any privilege escalation vulnerabilities.<br />
<br />
= Syntax =<br />
<br />
The CSRFModule introduces the following directive: <br />
<pre>directive = "anti-csrf" / "cookieless-images"</pre><br />
<br />
= Semantics =<br />
<br />
This section describes the semantics of the directive introduced in the CSRFModule.<br />
<br />
== <tt>anti-csrf</tt> ==<br />
<br />
The <tt>anti-csrf</tt> directive is designed to be a first line of defense against CSRF attacks. If the CSP policy contains the <tt>anti-csrf</tt> directive, the directive has the following effects: <br />
<br />
<ol><br />
<li>When the user agent submits any HTTP request in context of the document with enabled CSP <tt>anti-csrf</tt> directive, where such request is classified as one of:<br />
<ol style="list-style-type:lower-alpha"><br />
<li>external resource load (e.g., <tt>img src</tt>, <tt>link href</tt>, <tt>script src</tt>, <tt>iframe src</tt>, etc.),</li><br />
<li>link activation,</li><br />
<li>form action,</li><br />
</ol><br />
the HTTP request SHALL include a <tt>Cookie</tt> request header ONLY when the requested URI is contained in the [[Security/CSP/BaseModule#Semantics|<tt>self</tt>]] set of URIs. This is a NECESSARY condition for including a <tt>Cookie</tt> request header. Other NECESSARY and SUFFICIENT conditions for including a <tt>Cookie</tt> request header are outside the scope of CSRFModule.</li><br />
<li>For all other HTTP requests in context of the document with enabled CSP <tt>anti-csrf</tt> directive, the <tt>Cookie</tt> request header SHALL NOT be included in the request.</li><br />
</ol><br />
<br />
The <tt>anti-csrf</tt> directive protects websites against CSRF attacks by preventing authorization tokens stored in cookies from being sent in different-origin HTTP requests. Without <tt>anti-csrf</tt>, the attacker is able to cause the user agent to submit fraudulent requests to websites where the user has an active, authenticated browsing session.<br />
<br />
The <tt>anti-csrf</tt> directive DOES NOT protect a website against CSRF attacks against itself (where <i>itself</i> is defined as the set of <tt>self</tt> URIs). Nor does <tt>anti-csrf</tt> protect against CSRF for such websites that authorize HTTP requests by some mechanism other than <tt>Cookie</tt> request headers (e.g., implicit authorization based on requester's IP address). However, <tt>anti-csrf</tt> DOES enable a website to protect its users from being victimized by attacks originating from said website, targeted at certain other websites the user has a relationship with.<br />
<br />
<b>Documents that enable <tt>anti-csrf</tt> must not depend on external resources that are only accessible via <tt>Cookie</tt>-authorized HTTP request.</b><br />
<br />
== <tt>cookieless-images</tt> ==<br />
<br />
TODO: Affects all images, regardless of where they are loaded from.<br />
<br />
= Examples =<br />
<br />
TODO: Add some examples.<br />
<br />
= Open Issues =<br />
<br />
This section contains a list of open issues. <br />
<br />
*Any policy governing the sending of cookies to URIs other than |self| requires enforcement of the policy over all HTTP redirects encountered while loading the URI. This may be in conflict with [[Security/CSP/BaseModule|BaseModule]] if BaseModule defines CSP policies to be non-composeable.<br />
*The attacker could bypass the defense by hyperlinking to attacker.com, which isn't using CSP, and then submit the CSRF request from there.<br />
**To address this threat, form submission should only be allowed to <tt>self</tt> URIs when <tt>anti-csrf</tt> is enabled (the allowed set of URIs should be made extensible by other policy declarations).<br />
**Link activations are still vulnerable to this attack, however.<br />
*The list of HTTP requests where <tt>Cookie</tt> header is allowed to be sent must be exhaustive.<br />
*The CSP policy should be allowed to contain URI that are excepted from <tt>anti-csrf</tt> restrictions.</div>Mtlhttps://wiki.mozilla.org/index.php?title=Security/CSP/CSRFModule&diff=177763Security/CSP/CSRFModule2009-10-22T17:46:09Z<p>Mtl: /* Open Issues */</p>
<hr />
<div>= Overview =<br />
<br />
This document defines the CSRFModule, which contains the cross-site request forgery mitigations.<br />
The CSRFModule lets web developers mitigate CSRF attacks by disabling unneeded functionality used by attackers to mount CSRF attacks.<br />
<br />
= Dependencies =<br />
<br />
This module depends on the [[Security/CSP/BaseModule|BaseModule]].<br />
<br />
= Threat Model =<br />
<br />
The CSRFModule seeks to help web developers reduce the severity of [http://en.wikipedia.org/wiki/Cross-site_request_forgery cross-site request forgery] vulnerabilities in web sites. In particular, the CSRFModule is concerned with defending against an attacker with the following abilities: <br />
<br />
*The attacker can inject a sequence of bytes into a target web page. <br />
*The attacker can cause the user to visit the target web page.<br />
<br />
We further assume the web developer wishes to prevent the attacker from achieving the following goals: <br />
<br />
*The attacker causes the user's browser, upon rendering the target web page, to send fraudulent HTTP requests on the user's behalf.<br />
<br />
We assume that the browser properly implements the same-origin policy and does not contain any privilege escalation vulnerabilities.<br />
<br />
= Syntax =<br />
<br />
The CSRFModule introduces the following directive: <br />
<pre>directive = "anti-csrf" / "cookieless-images"</pre><br />
<br />
= Semantics =<br />
<br />
This section describes the semantics of the directive introduced in the CSRFModule.<br />
<br />
== <tt>anti-csrf</tt> ==<br />
<br />
The <tt>anti-csrf</tt> directive is designed to be a first line of defense against CSRF attacks. If the CSP policy contains the <tt>anti-csrf</tt> directive, the directive has the following effects: <br />
<br />
<ol><br />
<li>When the user agent submits any HTTP request in context of the document with enabled CSP <tt>anti-csrf</tt> directive, where such request is classified as one of:<br />
<ol style="list-style-type:lower-alpha"><br />
<li>external resource load (e.g., <tt>img src</tt>, <tt>link href</tt>, <tt>script src</tt>, <tt>iframe src</tt>, etc.),</li><br />
<li>link activation,</li><br />
<li>form action,</li><br />
</ol><br />
the HTTP request SHALL include a <tt>Cookie</tt> request header ONLY when the requested URI is contained in the [[Security/CSP/BaseModule#Semantics|<tt>self</tt>]] set of URIs. This is a NECESSARY condition for including a <tt>Cookie</tt> request header. Other NECESSARY and SUFFICIENT conditions for including a <tt>Cookie</tt> request header are outside the scope of CSRFModule.</li><br />
<li>For all other HTTP requests in context of the document with enabled CSP <tt>anti-csrf</tt> directive, the <tt>Cookie</tt> request header SHALL NOT be included in the request.</li><br />
</ol><br />
<br />
The <tt>anti-csrf</tt> directive protects websites against CSRF attacks by preventing authorization tokens stored in cookies from being sent in different-origin HTTP requests. Without <tt>anti-csrf</tt>, the attacker is able to cause the user agent to submit fraudulent requests to websites where the user has an active, authenticated browsing session.<br />
<br />
The <tt>anti-csrf</tt> directive DOES NOT protect a website against CSRF attacks against itself (where <i>itself</i> is defined as the set of <tt>self</tt> URIs). Nor does <tt>anti-csrf</tt> protect against CSRF for such websites that authorize HTTP requests by some mechanism other than <tt>Cookie</tt> request headers (e.g., implicit authorization based on requester's IP address). However, <tt>anti-csrf</tt> DOES enable a website to protect its users from being victimized by attacks originating from said website, targeted at certain other websites the user has a relationship with.<br />
<br />
<b>Documents that enable <tt>anti-csrf</tt> must not depend on external resources that are only accessible via <tt>Cookie</tt>-authorized HTTP request.</b><br />
<br />
== <tt>cookieless-images</tt> ==<br />
<br />
TODO: Affects all images, regardless of where they are loaded from.<br />
<br />
= Examples =<br />
<br />
TODO: Add some examples.<br />
<br />
= Open Issues =<br />
<br />
This section contains a list of open issues. <br />
<br />
*Any policy governing the sending of cookies to URIs other than |self| requires enforcement of the policy over all HTTP redirects encountered while loading the URI. This may be in conflict with BaseModule if CSP policies are not composeable.<br />
*The attacker could bypass the defense by hyperlinking to attacker.com, which isn't using CSP, and then submit the CSRF request from there.<br />
**To address this threat, form submission should only be allowed to <tt>self</tt> URIs when <tt>anti-csrf</tt> is enabled (the allowed set of URIs should be made extensible by other policy declarations).<br />
**Link activations are still vulnerable to this attack, however.<br />
*The list of HTTP requests where <tt>Cookie</tt> header is allowed to be sent must be exhaustive.<br />
*The CSP policy should be allowed to contain URI that are excepted from <tt>anti-csrf</tt> restrictions.</div>Mtlhttps://wiki.mozilla.org/index.php?title=Security/CSP/CSRFModule&diff=177754Security/CSP/CSRFModule2009-10-22T17:11:25Z<p>Mtl: </p>
<hr />
<div>= Overview =<br />
<br />
This document defines the CSRFModule, which contains the cross-site request forgery mitigations.<br />
The CSRFModule lets web developers mitigate CSRF attacks by disabling unneeded functionality used by attackers to mount CSRF attacks.<br />
<br />
= Dependencies =<br />
<br />
This module depends on the [[Security/CSP/BaseModule|BaseModule]].<br />
<br />
= Threat Model =<br />
<br />
The CSRFModule seeks to help web developers reduce the severity of [http://en.wikipedia.org/wiki/Cross-site_request_forgery cross-site request forgery] vulnerabilities in web sites. In particular, the CSRFModule is concerned with defending against an attacker with the following abilities: <br />
<br />
*The attacker can inject a sequence of bytes into a target web page. <br />
*The attacker can cause the user to visit the target web page.<br />
<br />
We further assume the web developer wishes to prevent the attacker from achieving the following goals: <br />
<br />
*The attacker causes the user's browser, upon rendering the target web page, to send fraudulent HTTP requests on the user's behalf.<br />
<br />
We assume that the browser properly implements the same-origin policy and does not contain any privilege escalation vulnerabilities.<br />
<br />
= Syntax =<br />
<br />
The CSRFModule introduces the following directive: <br />
<pre>directive = "anti-csrf" / "cookieless-images"</pre><br />
<br />
= Semantics =<br />
<br />
This section describes the semantics of the directive introduced in the CSRFModule.<br />
<br />
== <tt>anti-csrf</tt> ==<br />
<br />
The <tt>anti-csrf</tt> directive is designed to be a first line of defense against CSRF attacks. If the CSP policy contains the <tt>anti-csrf</tt> directive, the directive has the following effects: <br />
<br />
<ol><br />
<li>When the user agent submits any HTTP request in context of the document with enabled CSP <tt>anti-csrf</tt> directive, where such request is classified as one of:<br />
<ol style="list-style-type:lower-alpha"><br />
<li>external resource load (e.g., <tt>img src</tt>, <tt>link href</tt>, <tt>script src</tt>, <tt>iframe src</tt>, etc.),</li><br />
<li>link activation,</li><br />
<li>form action,</li><br />
</ol><br />
the HTTP request SHALL include a <tt>Cookie</tt> request header ONLY when the requested URI is contained in the [[Security/CSP/BaseModule#Semantics|<tt>self</tt>]] set of URIs. This is a NECESSARY condition for including a <tt>Cookie</tt> request header. Other NECESSARY and SUFFICIENT conditions for including a <tt>Cookie</tt> request header are outside the scope of CSRFModule.</li><br />
<li>For all other HTTP requests in context of the document with enabled CSP <tt>anti-csrf</tt> directive, the <tt>Cookie</tt> request header SHALL NOT be included in the request.</li><br />
</ol><br />
<br />
The <tt>anti-csrf</tt> directive protects websites against CSRF attacks by preventing authorization tokens stored in cookies from being sent in different-origin HTTP requests. Without <tt>anti-csrf</tt>, the attacker is able to cause the user agent to submit fraudulent requests to websites where the user has an active, authenticated browsing session.<br />
<br />
The <tt>anti-csrf</tt> directive DOES NOT protect a website against CSRF attacks against itself (where <i>itself</i> is defined as the set of <tt>self</tt> URIs). Nor does <tt>anti-csrf</tt> protect against CSRF for such websites that authorize HTTP requests by some mechanism other than <tt>Cookie</tt> request headers (e.g., implicit authorization based on requester's IP address). However, <tt>anti-csrf</tt> DOES enable a website to protect its users from being victimized by attacks originating from said website, targeted at certain other websites the user has a relationship with.<br />
<br />
<b>Documents that enable <tt>anti-csrf</tt> must not depend on external resources that are only accessible via <tt>Cookie</tt>-authorized HTTP request.</b><br />
<br />
== <tt>cookieless-images</tt> ==<br />
<br />
TODO: Affects all images, regardless of where they are loaded from.<br />
<br />
= Examples =<br />
<br />
TODO: Add some examples.<br />
<br />
= Open Issues =<br />
<br />
This section contains a list of open issues. <br />
<br />
*The attacker could bypass the defense by hyperlinking to attacker.com, which isn't using CSP, and then submit the CSRF request from there.<br />
**To address this threat, form submission should only be allowed to <tt>self</tt> URIs when <tt>anti-csrf</tt> is enabled (the allowed set of URIs should be made extensible by other policy declarations).<br />
**Link activations are still vulnerable to this attack, however.<br />
*The list of HTTP requests where <tt>Cookie</tt> header is allowed to be sent must be exhaustive.<br />
*The CSP policy should be allowed to contain URI that are excepted from <tt>anti-csrf</tt> restrictions.</div>Mtlhttps://wiki.mozilla.org/index.php?title=Security/CSP/CSRFModule&diff=177753Security/CSP/CSRFModule2009-10-22T17:10:21Z<p>Mtl: /* Syntax */</p>
<hr />
<div>= Overview =<br />
<br />
This document defines the CSRFModule, which contains the cross-site request forgery mitigations.<br />
The CSRFModule lets web developers mitigate CSRF attacks by disabling unneeded functionality used by attackers to mount CSRF attacks.<br />
<br />
= Dependencies =<br />
<br />
This module depends on the [[Security/CSP/BaseModule|BaseModule]].<br />
<br />
= Threat Model =<br />
<br />
The CSRFModule seeks to help web developers reduce the severity of [http://en.wikipedia.org/wiki/Cross-site_request_forgery cross-site request forgery] vulnerabilities in web sites. In particular, the CSRFModule is concerned with defending against an attacker with the following abilities: <br />
<br />
*The attacker can inject a sequence of bytes into a target web page. <br />
*The attacker can cause the user to visit the target web page.<br />
<br />
We further assume the web developer wishes to prevent the attacker from achieving the following goals: <br />
<br />
*The attacker causes the user's browser, upon rendering the target web page, to send fraudulent HTTP requests on the user's behalf.<br />
<br />
We assume that the browser properly implements the same-origin policy and does not contain any privilege escalation vulnerabilities.<br />
<br />
= Syntax =<br />
<br />
The CSRFModule introduces the following directive: <br />
<pre>directive = "anti-csrf" / "cookieless-images"</pre><br />
<br />
= Semantics =<br />
<br />
This section describes the semantics of the directive introduced in the CSRFModule.<br />
<br />
== <tt>anti-csrf</tt> ==<br />
<br />
The <tt>anti-csrf</tt> directive is designed to be a first line of defense against CSRF attacks. If the CSP policy contains the <tt>anti-csrf</tt> directive, the directive has the following effects: <br />
<br />
<ol><br />
<li>When the user agent submits any HTTP request in context of the document with enabled CSP <tt>anti-csrf</tt> directive, where such request is classified as one of:<br />
<ol style="list-style-type:lower-alpha"><br />
<li>external resource load (e.g., <tt>img src</tt>, <tt>link href</tt>, <tt>script src</tt>, <tt>iframe src</tt>, etc.),</li><br />
<li>link activation,</li><br />
<li>form action,</li><br />
</ol><br />
the HTTP request SHALL include a <tt>Cookie</tt> request header ONLY when the requested URI is contained in the [[Security/CSP/BaseModule#Semantics|<tt>self</tt>]] set of URIs. This is a NECESSARY condition for including a <tt>Cookie</tt> request header. Other NECESSARY and SUFFICIENT conditions for including a <tt>Cookie</tt> request header are outside the scope of CSRFModule.</li><br />
<li>For all other HTTP requests in context of the document with enabled CSP <tt>anti-csrf</tt> directive, the <tt>Cookie</tt> request header SHALL NOT be included in the request.</li><br />
</ol><br />
<br />
The <tt>anti-csrf</tt> directive protects websites against CSRF attacks by preventing authorization tokens stored in cookies from being sent in different-origin HTTP requests. Without <tt>anti-csrf</tt>, the attacker is able to cause the user agent to submit fraudulent requests to websites where the user has an active, authenticated browsing session.<br />
<br />
The <tt>anti-csrf</tt> directive DOES NOT protect a website against CSRF attacks against itself (where <i>itself</i> is defined as the set of <tt>self</tt> URIs). Nor does <tt>anti-csrf</tt> protect against CSRF for such websites that authorize HTTP requests by some mechanism other than <tt>Cookie</tt> request headers (e.g., implicit authorization based on requester's IP address). However, <tt>anti-csrf</tt> DOES enable a website to protect its users from being victimized by attacks originating from said website, targeted at certain other websites the user has a relationship with.<br />
<br />
<b>Documents that enable <tt>anti-csrf</tt> must not depend on external resources that are only accessible via <tt>Cookie</tt>-authorized HTTP request.</b><br />
<br />
= Examples =<br />
<br />
TODO: Add some examples.<br />
<br />
= Open Issues =<br />
<br />
This section contains a list of open issues. <br />
<br />
*The attacker could bypass the defense by hyperlinking to attacker.com, which isn't using CSP, and then submit the CSRF request from there.<br />
**To address this threat, form submission should only be allowed to <tt>self</tt> URIs when <tt>anti-csrf</tt> is enabled (the allowed set of URIs should be made extensible by other policy declarations).<br />
**Link activations are still vulnerable to this attack, however.<br />
*The list of HTTP requests where <tt>Cookie</tt> header is allowed to be sent must be exhaustive.<br />
*The CSP policy should be allowed to contain URI that are excepted from <tt>anti-csrf</tt> restrictions.</div>Mtlhttps://wiki.mozilla.org/index.php?title=Security/CSP/CSRFModule&diff=177750Security/CSP/CSRFModule2009-10-22T17:00:01Z<p>Mtl: /* Open Issues */</p>
<hr />
<div>= Overview =<br />
<br />
This document defines the CSRFModule, which contains the cross-site request forgery mitigations.<br />
The CSRFModule lets web developers mitigate CSRF attacks by disabling unneeded functionality used by attackers to mount CSRF attacks.<br />
<br />
= Dependencies =<br />
<br />
This module depends on the [[Security/CSP/BaseModule|BaseModule]].<br />
<br />
= Threat Model =<br />
<br />
The CSRFModule seeks to help web developers reduce the severity of [http://en.wikipedia.org/wiki/Cross-site_request_forgery cross-site request forgery] vulnerabilities in web sites. In particular, the CSRFModule is concerned with defending against an attacker with the following abilities: <br />
<br />
*The attacker can inject a sequence of bytes into a target web page. <br />
*The attacker can cause the user to visit the target web page.<br />
<br />
We further assume the web developer wishes to prevent the attacker from achieving the following goals: <br />
<br />
*The attacker causes the user's browser, upon rendering the target web page, to send fraudulent HTTP requests on the user's behalf.<br />
<br />
We assume that the browser properly implements the same-origin policy and does not contain any privilege escalation vulnerabilities.<br />
<br />
= Syntax =<br />
<br />
The CSRFModule introduces the following directive: <br />
<pre>directive = "anti-csrf"</pre><br />
<br />
= Semantics =<br />
<br />
This section describes the semantics of the directive introduced in the CSRFModule.<br />
<br />
== <tt>anti-csrf</tt> ==<br />
<br />
The <tt>anti-csrf</tt> directive is designed to be a first line of defense against CSRF attacks. If the CSP policy contains the <tt>anti-csrf</tt> directive, the directive has the following effects: <br />
<br />
<ol><br />
<li>When the user agent submits any HTTP request in context of the document with enabled CSP <tt>anti-csrf</tt> directive, where such request is classified as one of:<br />
<ol style="list-style-type:lower-alpha"><br />
<li>external resource load (e.g., <tt>img src</tt>, <tt>link href</tt>, <tt>script src</tt>, <tt>iframe src</tt>, etc.),</li><br />
<li>link activation,</li><br />
<li>form action,</li><br />
</ol><br />
the HTTP request SHALL include a <tt>Cookie</tt> request header ONLY when the requested URI is contained in the [[Security/CSP/BaseModule#Semantics|<tt>self</tt>]] set of URIs. This is a NECESSARY condition for including a <tt>Cookie</tt> request header. Other NECESSARY and SUFFICIENT conditions for including a <tt>Cookie</tt> request header are outside the scope of CSRFModule.</li><br />
<li>For all other HTTP requests in context of the document with enabled CSP <tt>anti-csrf</tt> directive, the <tt>Cookie</tt> request header SHALL NOT be included in the request.</li><br />
</ol><br />
<br />
The <tt>anti-csrf</tt> directive protects websites against CSRF attacks by preventing authorization tokens stored in cookies from being sent in different-origin HTTP requests. Without <tt>anti-csrf</tt>, the attacker is able to cause the user agent to submit fraudulent requests to websites where the user has an active, authenticated browsing session.<br />
<br />
The <tt>anti-csrf</tt> directive DOES NOT protect a website against CSRF attacks against itself (where <i>itself</i> is defined as the set of <tt>self</tt> URIs). Nor does <tt>anti-csrf</tt> protect against CSRF for such websites that authorize HTTP requests by some mechanism other than <tt>Cookie</tt> request headers (e.g., implicit authorization based on requester's IP address). However, <tt>anti-csrf</tt> DOES enable a website to protect its users from being victimized by attacks originating from said website, targeted at certain other websites the user has a relationship with.<br />
<br />
<b>Documents that enable <tt>anti-csrf</tt> must not depend on external resources that are only accessible via <tt>Cookie</tt>-authorized HTTP request.</b><br />
<br />
= Examples =<br />
<br />
TODO: Add some examples.<br />
<br />
= Open Issues =<br />
<br />
This section contains a list of open issues. <br />
<br />
*The attacker could bypass the defense by hyperlinking to attacker.com, which isn't using CSP, and then submit the CSRF request from there.<br />
**To address this threat, form submission should only be allowed to <tt>self</tt> URIs when <tt>anti-csrf</tt> is enabled (the allowed set of URIs should be made extensible by other policy declarations).<br />
**Link activations are still vulnerable to this attack, however.<br />
*The list of HTTP requests where <tt>Cookie</tt> header is allowed to be sent must be exhaustive.<br />
*The CSP policy should be allowed to contain URI that are excepted from <tt>anti-csrf</tt> restrictions.</div>Mtlhttps://wiki.mozilla.org/index.php?title=Security/CSP/CSRFModule&diff=177749Security/CSP/CSRFModule2009-10-22T16:59:21Z<p>Mtl: /* Open Issues */</p>
<hr />
<div>= Overview =<br />
<br />
This document defines the CSRFModule, which contains the cross-site request forgery mitigations.<br />
The CSRFModule lets web developers mitigate CSRF attacks by disabling unneeded functionality used by attackers to mount CSRF attacks.<br />
<br />
= Dependencies =<br />
<br />
This module depends on the [[Security/CSP/BaseModule|BaseModule]].<br />
<br />
= Threat Model =<br />
<br />
The CSRFModule seeks to help web developers reduce the severity of [http://en.wikipedia.org/wiki/Cross-site_request_forgery cross-site request forgery] vulnerabilities in web sites. In particular, the CSRFModule is concerned with defending against an attacker with the following abilities: <br />
<br />
*The attacker can inject a sequence of bytes into a target web page. <br />
*The attacker can cause the user to visit the target web page.<br />
<br />
We further assume the web developer wishes to prevent the attacker from achieving the following goals: <br />
<br />
*The attacker causes the user's browser, upon rendering the target web page, to send fraudulent HTTP requests on the user's behalf.<br />
<br />
We assume that the browser properly implements the same-origin policy and does not contain any privilege escalation vulnerabilities.<br />
<br />
= Syntax =<br />
<br />
The CSRFModule introduces the following directive: <br />
<pre>directive = "anti-csrf"</pre><br />
<br />
= Semantics =<br />
<br />
This section describes the semantics of the directive introduced in the CSRFModule.<br />
<br />
== <tt>anti-csrf</tt> ==<br />
<br />
The <tt>anti-csrf</tt> directive is designed to be a first line of defense against CSRF attacks. If the CSP policy contains the <tt>anti-csrf</tt> directive, the directive has the following effects: <br />
<br />
<ol><br />
<li>When the user agent submits any HTTP request in context of the document with enabled CSP <tt>anti-csrf</tt> directive, where such request is classified as one of:<br />
<ol style="list-style-type:lower-alpha"><br />
<li>external resource load (e.g., <tt>img src</tt>, <tt>link href</tt>, <tt>script src</tt>, <tt>iframe src</tt>, etc.),</li><br />
<li>link activation,</li><br />
<li>form action,</li><br />
</ol><br />
the HTTP request SHALL include a <tt>Cookie</tt> request header ONLY when the requested URI is contained in the [[Security/CSP/BaseModule#Semantics|<tt>self</tt>]] set of URIs. This is a NECESSARY condition for including a <tt>Cookie</tt> request header. Other NECESSARY and SUFFICIENT conditions for including a <tt>Cookie</tt> request header are outside the scope of CSRFModule.</li><br />
<li>For all other HTTP requests in context of the document with enabled CSP <tt>anti-csrf</tt> directive, the <tt>Cookie</tt> request header SHALL NOT be included in the request.</li><br />
</ol><br />
<br />
The <tt>anti-csrf</tt> directive protects websites against CSRF attacks by preventing authorization tokens stored in cookies from being sent in different-origin HTTP requests. Without <tt>anti-csrf</tt>, the attacker is able to cause the user agent to submit fraudulent requests to websites where the user has an active, authenticated browsing session.<br />
<br />
The <tt>anti-csrf</tt> directive DOES NOT protect a website against CSRF attacks against itself (where <i>itself</i> is defined as the set of <tt>self</tt> URIs). Nor does <tt>anti-csrf</tt> protect against CSRF for such websites that authorize HTTP requests by some mechanism other than <tt>Cookie</tt> request headers (e.g., implicit authorization based on requester's IP address). However, <tt>anti-csrf</tt> DOES enable a website to protect its users from being victimized by attacks originating from said website, targeted at certain other websites the user has a relationship with.<br />
<br />
<b>Documents that enable <tt>anti-csrf</tt> must not depend on external resources that are only accessible via <tt>Cookie</tt>-authorized HTTP request.</b><br />
<br />
= Examples =<br />
<br />
TODO: Add some examples.<br />
<br />
= Open Issues =<br />
<br />
This section contains a list of open issues. <br />
<br />
*The attacker could bypass the defense by hyperlinking to attacker.com, which isn't using CSP, and then submit the CSRF request from there. Form submission should only be allowed to <tt>self</tt> URIs when <tt>anti-csrf</tt> is enabled (the allowed set of URIs should be made extensible by other policy declarations). Link activations are still vulnerable to this attack, however.<br />
*The list of HTTP requests where <tt>Cookie</tt> header is allowed to be sent must be exhaustive.<br />
*The CSP policy should be allowed to contain URI that are excepted from <tt>anti-csrf</tt> restrictions.</div>Mtlhttps://wiki.mozilla.org/index.php?title=Security/CSP/CSRFModule&diff=177747Security/CSP/CSRFModule2009-10-22T16:54:03Z<p>Mtl: /* anti-csrf */</p>
<hr />
<div>= Overview =<br />
<br />
This document defines the CSRFModule, which contains the cross-site request forgery mitigations.<br />
The CSRFModule lets web developers mitigate CSRF attacks by disabling unneeded functionality used by attackers to mount CSRF attacks.<br />
<br />
= Dependencies =<br />
<br />
This module depends on the [[Security/CSP/BaseModule|BaseModule]].<br />
<br />
= Threat Model =<br />
<br />
The CSRFModule seeks to help web developers reduce the severity of [http://en.wikipedia.org/wiki/Cross-site_request_forgery cross-site request forgery] vulnerabilities in web sites. In particular, the CSRFModule is concerned with defending against an attacker with the following abilities: <br />
<br />
*The attacker can inject a sequence of bytes into a target web page. <br />
*The attacker can cause the user to visit the target web page.<br />
<br />
We further assume the web developer wishes to prevent the attacker from achieving the following goals: <br />
<br />
*The attacker causes the user's browser, upon rendering the target web page, to send fraudulent HTTP requests on the user's behalf.<br />
<br />
We assume that the browser properly implements the same-origin policy and does not contain any privilege escalation vulnerabilities.<br />
<br />
= Syntax =<br />
<br />
The CSRFModule introduces the following directive: <br />
<pre>directive = "anti-csrf"</pre><br />
<br />
= Semantics =<br />
<br />
This section describes the semantics of the directive introduced in the CSRFModule.<br />
<br />
== <tt>anti-csrf</tt> ==<br />
<br />
The <tt>anti-csrf</tt> directive is designed to be a first line of defense against CSRF attacks. If the CSP policy contains the <tt>anti-csrf</tt> directive, the directive has the following effects: <br />
<br />
<ol><br />
<li>When the user agent submits any HTTP request in context of the document with enabled CSP <tt>anti-csrf</tt> directive, where such request is classified as one of:<br />
<ol style="list-style-type:lower-alpha"><br />
<li>external resource load (e.g., <tt>img src</tt>, <tt>link href</tt>, <tt>script src</tt>, <tt>iframe src</tt>, etc.),</li><br />
<li>link activation,</li><br />
<li>form action,</li><br />
</ol><br />
the HTTP request SHALL include a <tt>Cookie</tt> request header ONLY when the requested URI is contained in the [[Security/CSP/BaseModule#Semantics|<tt>self</tt>]] set of URIs. This is a NECESSARY condition for including a <tt>Cookie</tt> request header. Other NECESSARY and SUFFICIENT conditions for including a <tt>Cookie</tt> request header are outside the scope of CSRFModule.</li><br />
<li>For all other HTTP requests in context of the document with enabled CSP <tt>anti-csrf</tt> directive, the <tt>Cookie</tt> request header SHALL NOT be included in the request.</li><br />
</ol><br />
<br />
The <tt>anti-csrf</tt> directive protects websites against CSRF attacks by preventing authorization tokens stored in cookies from being sent in different-origin HTTP requests. Without <tt>anti-csrf</tt>, the attacker is able to cause the user agent to submit fraudulent requests to websites where the user has an active, authenticated browsing session.<br />
<br />
The <tt>anti-csrf</tt> directive DOES NOT protect a website against CSRF attacks against itself (where <i>itself</i> is defined as the set of <tt>self</tt> URIs). Nor does <tt>anti-csrf</tt> protect against CSRF for such websites that authorize HTTP requests by some mechanism other than <tt>Cookie</tt> request headers (e.g., implicit authorization based on requester's IP address). However, <tt>anti-csrf</tt> DOES enable a website to protect its users from being victimized by attacks originating from said website, targeted at certain other websites the user has a relationship with.<br />
<br />
<b>Documents that enable <tt>anti-csrf</tt> must not depend on external resources that are only accessible via <tt>Cookie</tt>-authorized HTTP request.</b><br />
<br />
= Examples =<br />
<br />
TODO: Add some examples.<br />
<br />
= Open Issues =<br />
<br />
This section contains a list of open issues. <br />
<br />
*The attacker could bypass the defense by hyperlinking to attacker.com, which isn't using CSP, and then submit the CSRF request from there.<br />
*The list of HTTP requests where <tt>Cookie</tt> header is allowed to be sent must be exhaustive.<br />
*The CSP policy should be allowed to contain URI that are excepted from <tt>anti-csrf</tt> restrictions.</div>Mtlhttps://wiki.mozilla.org/index.php?title=Security/CSP/CSRFModule&diff=177735Security/CSP/CSRFModule2009-10-22T15:52:20Z<p>Mtl: Created page with '= Overview = This document defines the CSRFModule, which contains the cross-site request forgery mitigations. The CSRFModule lets web developers mitigate CSRF attacks by disabliā¦'</p>
<hr />
<div>= Overview =<br />
<br />
This document defines the CSRFModule, which contains the cross-site request forgery mitigations.<br />
The CSRFModule lets web developers mitigate CSRF attacks by disabling unneeded functionality used by attackers to mount CSRF attacks.<br />
<br />
= Dependencies =<br />
<br />
This module depends on the [[Security/CSP/BaseModule|BaseModule]].<br />
<br />
= Threat Model =<br />
<br />
The CSRFModule seeks to help web developers reduce the severity of [http://en.wikipedia.org/wiki/Cross-site_request_forgery cross-site request forgery] vulnerabilities in web sites. In particular, the CSRFModule is concerned with defending against an attacker with the following abilities: <br />
<br />
*The attacker can inject a sequence of bytes into a target web page. <br />
*The attacker can cause the user to visit the target web page.<br />
<br />
We further assume the web developer wishes to prevent the attacker from achieving the following goals: <br />
<br />
*The attacker causes the user's browser, upon rendering the target web page, to send fraudulent HTTP requests on the user's behalf.<br />
<br />
We assume that the browser properly implements the same-origin policy and does not contain any privilege escalation vulnerabilities.<br />
<br />
= Syntax =<br />
<br />
The CSRFModule introduces the following directive: <br />
<pre>directive = "anti-csrf"</pre><br />
<br />
= Semantics =<br />
<br />
This section describes the semantics of the directive introduced in the CSRFModule.<br />
<br />
== <tt>anti-csrf</tt> ==<br />
<br />
The <tt>anti-csrf</tt> directive is designed to be a first line of defense against CSRF attacks. If the CSP policy contains the <tt>anti-csrf</tt> directive, the directive has the following effects: <br />
<br />
<ol><br />
<li>When the user agent submits any HTTP request in context of the document with enabled CSP <tt>anti-csrf</tt> directive, where such request is classified as one of:<br />
<ol style="list-style-type:lower-alpha"><br />
<li>external resource load (e.g., <tt>img src</tt>, <tt>link href</tt>, <tt>script src</tt>, <tt>iframe src</tt>, etc.),</li><br />
<li>link activation,</li><br />
<li>form action,</li><br />
</ol><br />
the HTTP request SHALL include a <tt>Cookie</tt> request header ONLY when the requested URI is contained in the [[Security/CSP/BaseModule#Semantics|<tt>self</tt>]] set of URIs. This is a NECESSARY condition for including a <tt>Cookie</tt> request header. Other NECESSARY and SUFFICIENT conditions for including a <tt>Cookie</tt> request header are outside the scope of CSRFModule.</li><br />
<li>For all other HTTP requests in context of the document with enabled CSP <tt>anti-csrf</tt> directive, the <tt>Cookie</tt> request header SHALL NOT be included in the request.</li><br />
</ol><br />
<br />
The <tt>anti-csrf</tt> directive protects websites against CSRF attacks by preventing authorization tokens stored in cookies from being sent in different-origin HTTP requests. Without <tt>anti-csrf</tt>, the attacker is able to cause the user agent to submit fraudulent requests to websites where the user has an active, authenticated browsing session.<br />
<br />
The <tt>anti-csrf</tt> directive DOES NOT protect a website against CSRF attacks against itself (where <i>itself</i> is defined as the set of <tt>self</tt> URIs). Nor does <tt>anti-csrf</tt> protect against CSRF for such websites that authorize HTTP requests by some mechanism other than <tt>Cookie</tt> request headers (e.g., implicit authorization based on requester's IP address). However, <tt>anti-csrf</tt> DOES enable a website to protect its users from being victimized by attacks originating from said website, targeted at certain other websites the user has a relationship with.<br />
<br />
<b>Documents that enable <tt>anti-csrf</tt> must not depend on external resources that are only accessible via <tt>Cookie</tt> authenticated HTTP request.</b><br />
<br />
= Examples =<br />
<br />
TODO: Add some examples.<br />
<br />
= Open Issues =<br />
<br />
This section contains a list of open issues. <br />
<br />
*The list of HTTP requests where <tt>Cookie</tt> header is allowed to be sent must be exhaustive.<br />
*The CSP policy should be allowed to contain URI that are excepted from <tt>anti-csrf</tt> restrictions.</div>Mtlhttps://wiki.mozilla.org/index.php?title=Security/CSP/Modules&diff=177733Security/CSP/Modules2009-10-22T15:51:54Z<p>Mtl: </p>
<hr />
<div>This page describes the status of the various CSP modules: <br />
<br />
{| width="200" border="1" cellpadding="1" cellspacing="1"<br />
|-<br />
! scope="col" | Module <br />
! scope="col" | Status<br />
|-<br />
| [[Security/CSP/BaseModule|BaseModule]]<br />
| Required<br />
|-<br />
| [[Security/CSP/XSSModule|XSSModule]] <br />
| Recommended<br />
|-<br />
| [[Security/CSP/HistoryModule|HistoryModule]] <br />
| Experimental<br />
|-<br />
| [[Security/CSP/ClickJackingModule|ClickJackingModule]] <br />
| Experimental<br />
|-<br />
| [[Security/CSP/CSRFModule|CSRFModule]] <br />
| Experimental<br />
|}<br />
<br />
<br />
<br></div>Mtlhttps://wiki.mozilla.org/index.php?title=User:Mtl&diff=177732User:Mtl2009-10-22T15:50:36Z<p>Mtl: /* anti-csrf */</p>
<hr />
<div>= Overview =<br />
<br />
This document defines the CSRFModule, which contains the cross-site request forgery mitigations.<br />
The CSRFModule lets web developers mitigate CSRF attacks by disabling unneeded functionality used by attackers to mount CSRF attacks.<br />
<br />
= Dependencies =<br />
<br />
This module depends on the [[Security/CSP/BaseModule|BaseModule]].<br />
<br />
= Threat Model =<br />
<br />
The CSRFModule seeks to help web developers reduce the severity of [http://en.wikipedia.org/wiki/Cross-site_request_forgery cross-site request forgery] vulnerabilities in web sites. In particular, the CSRFModule is concerned with defending against an attacker with the following abilities: <br />
<br />
*The attacker can inject a sequence of bytes into a target web page. <br />
*The attacker can cause the user to visit the target web page.<br />
<br />
We further assume the web developer wishes to prevent the attacker from achieving the following goals: <br />
<br />
*The attacker causes the user's browser, upon rendering the target web page, to send fraudulent HTTP requests on the user's behalf.<br />
<br />
We assume that the browser properly implements the same-origin policy and does not contain any privilege escalation vulnerabilities.<br />
<br />
= Syntax =<br />
<br />
The CSRFModule introduces the following directive: <br />
<pre>directive = "anti-csrf"</pre><br />
<br />
= Semantics =<br />
<br />
This section describes the semantics of the directive introduced in the CSRFModule.<br />
<br />
== <tt>anti-csrf</tt> ==<br />
<br />
The <tt>anti-csrf</tt> directive is designed to be a first line of defense against CSRF attacks. If the CSP policy contains the <tt>anti-csrf</tt> directive, the directive has the following effects: <br />
<br />
<ol><br />
<li>When the user agent submits any HTTP request in context of the document with enabled CSP <tt>anti-csrf</tt> directive, where such request is classified as one of:<br />
<ol style="list-style-type:lower-alpha"><br />
<li>external resource load (e.g., <tt>img src</tt>, <tt>link href</tt>, <tt>script src</tt>, <tt>iframe src</tt>, etc.),</li><br />
<li>link activation,</li><br />
<li>form action,</li><br />
</ol><br />
the HTTP request SHALL include a <tt>Cookie</tt> request header ONLY when the requested URI is contained in the [[Security/CSP/BaseModule#Semantics|<tt>self</tt>]] set of URIs. This is a NECESSARY condition for including a <tt>Cookie</tt> request header. Other NECESSARY and SUFFICIENT conditions for including a <tt>Cookie</tt> request header are outside the scope of CSRFModule.</li><br />
<li>For all other HTTP requests in context of the document with enabled CSP <tt>anti-csrf</tt> directive, the <tt>Cookie</tt> request header SHALL NOT be included in the request.</li><br />
</ol><br />
<br />
The <tt>anti-csrf</tt> directive protects websites against CSRF attacks by preventing authorization tokens stored in cookies from being sent in different-origin HTTP requests. Without <tt>anti-csrf</tt>, the attacker is able to cause the user agent to submit fraudulent requests to websites where the user has an active, authenticated browsing session.<br />
<br />
The <tt>anti-csrf</tt> directive DOES NOT protect a website against CSRF attacks against itself (where <i>itself</i> is defined as the set of <tt>self</tt> URIs). Nor does <tt>anti-csrf</tt> protect against CSRF for such websites that authorize HTTP requests by some mechanism other than <tt>Cookie</tt> request headers (e.g., implicit authorization based on requester's IP address). However, <tt>anti-csrf</tt> DOES enable a website to protect its users from being victimized by attacks originating from said website, targeted at certain other websites the user has a relationship with.<br />
<br />
<b>Documents that enable <tt>anti-csrf</tt> must not depend on external resources that are only accessible via <tt>Cookie</tt> authenticated HTTP request.</b><br />
<br />
= Examples =<br />
<br />
TODO: Add some examples.<br />
<br />
= Open Issues =<br />
<br />
This section contains a list of open issues. <br />
<br />
*The list of HTTP requests where <tt>Cookie</tt> header is allowed to be sent must be exhaustive.<br />
*The CSP policy should be allowed to contain URI that are excepted from <tt>anti-csrf</tt> restrictions.</div>Mtlhttps://wiki.mozilla.org/index.php?title=User:Mtl&diff=177731User:Mtl2009-10-22T15:49:39Z<p>Mtl: /* anti-csrf */</p>
<hr />
<div>= Overview =<br />
<br />
This document defines the CSRFModule, which contains the cross-site request forgery mitigations.<br />
The CSRFModule lets web developers mitigate CSRF attacks by disabling unneeded functionality used by attackers to mount CSRF attacks.<br />
<br />
= Dependencies =<br />
<br />
This module depends on the [[Security/CSP/BaseModule|BaseModule]].<br />
<br />
= Threat Model =<br />
<br />
The CSRFModule seeks to help web developers reduce the severity of [http://en.wikipedia.org/wiki/Cross-site_request_forgery cross-site request forgery] vulnerabilities in web sites. In particular, the CSRFModule is concerned with defending against an attacker with the following abilities: <br />
<br />
*The attacker can inject a sequence of bytes into a target web page. <br />
*The attacker can cause the user to visit the target web page.<br />
<br />
We further assume the web developer wishes to prevent the attacker from achieving the following goals: <br />
<br />
*The attacker causes the user's browser, upon rendering the target web page, to send fraudulent HTTP requests on the user's behalf.<br />
<br />
We assume that the browser properly implements the same-origin policy and does not contain any privilege escalation vulnerabilities.<br />
<br />
= Syntax =<br />
<br />
The CSRFModule introduces the following directive: <br />
<pre>directive = "anti-csrf"</pre><br />
<br />
= Semantics =<br />
<br />
This section describes the semantics of the directive introduced in the CSRFModule.<br />
<br />
== <tt>anti-csrf</tt> ==<br />
<br />
The <tt>anti-csrf</tt> directive is designed to be a first line of defense against CSRF attacks. If the CSP policy contains the <tt>anti-csrf</tt> directive, the directive has the following effects: <br />
<br />
<ol><br />
<li>When the user agent submits any HTTP request in context of the document with enabled CSP <tt>anti-csrf</tt> directive, where such request is classified as one of:<br />
<ol style="list-style-type:lower-alpha"><br />
<li>external resource load (e.g., <tt>img src</tt>, <tt>link href</tt>, <tt>script src</tt>, <tt>iframe src</tt>, etc.),</li><br />
<li>link activation,</li><br />
<li>form action,</li><br />
</ol><br />
the HTTP request SHALL include a <tt>Cookie</tt> request header ONLY when the requested URI is contained in the [[Security/CSP/BaseModule#Semantics|<tt>self</tt>]] set of URIs. This is a NECESSARY condition for including a <tt>Cookie</tt> request header. Other NECESSARY and SUFFICIENT conditions for including a <tt>Cookie</tt> request header are outside the scope of CSRFModule.</li><br />
<li>For all other HTTP requests in context of the document with enabled CSP <tt>anti-csrf</tt> directive, the <tt>Cookie</tt> request header SHALL NOT be included in the request.</li><br />
</ol><br />
<br />
The <tt>anti-csrf</tt> directive protects websites against CSRF attacks by preventing authorization tokens stored in cookies from being sent in different-origin HTTP requests. Without <tt>anti-csrf</tt>, the attacker is able to cause the user agent to submit fraudulent requests to websites where the user has an active, authenticated browsing session.<br />
<br />
The <tt>anti-csrf</tt> directive DOES NOT protect a website against CSRF attacks against itself (where <i>itself</i> is defined as the set of <tt>self</tt> URIs). Nor does <tt>anti-csrf</tt> protect against CSRF for such websites that authorize HTTP requests by some mechanism other than <tt>Cookie</tt> request headers (e.g., implicit authorization based on requester's IP address). However, <tt>anti-csrf</tt> DOES enable a website to protect its users from being victimized by attacks originating from said website, targeted at other websites the user has a relationship with.<br />
<br />
<b>Documents that enable <tt>anti-csrf</tt> must not depend on external resources that are only accessible via <tt>Cookie</tt> authenticated HTTP request.</b><br />
<br />
= Examples =<br />
<br />
TODO: Add some examples.<br />
<br />
= Open Issues =<br />
<br />
This section contains a list of open issues. <br />
<br />
*The list of HTTP requests where <tt>Cookie</tt> header is allowed to be sent must be exhaustive.<br />
*The CSP policy should be allowed to contain URI that are excepted from <tt>anti-csrf</tt> restrictions.</div>Mtlhttps://wiki.mozilla.org/index.php?title=User:Mtl&diff=177729User:Mtl2009-10-22T15:46:24Z<p>Mtl: /* Threat Model */</p>
<hr />
<div>= Overview =<br />
<br />
This document defines the CSRFModule, which contains the cross-site request forgery mitigations.<br />
The CSRFModule lets web developers mitigate CSRF attacks by disabling unneeded functionality used by attackers to mount CSRF attacks.<br />
<br />
= Dependencies =<br />
<br />
This module depends on the [[Security/CSP/BaseModule|BaseModule]].<br />
<br />
= Threat Model =<br />
<br />
The CSRFModule seeks to help web developers reduce the severity of [http://en.wikipedia.org/wiki/Cross-site_request_forgery cross-site request forgery] vulnerabilities in web sites. In particular, the CSRFModule is concerned with defending against an attacker with the following abilities: <br />
<br />
*The attacker can inject a sequence of bytes into a target web page. <br />
*The attacker can cause the user to visit the target web page.<br />
<br />
We further assume the web developer wishes to prevent the attacker from achieving the following goals: <br />
<br />
*The attacker causes the user's browser, upon rendering the target web page, to send fraudulent HTTP requests on the user's behalf.<br />
<br />
We assume that the browser properly implements the same-origin policy and does not contain any privilege escalation vulnerabilities.<br />
<br />
= Syntax =<br />
<br />
The CSRFModule introduces the following directive: <br />
<pre>directive = "anti-csrf"</pre><br />
<br />
= Semantics =<br />
<br />
This section describes the semantics of the directive introduced in the CSRFModule.<br />
<br />
== <tt>anti-csrf</tt> ==<br />
<br />
The <tt>anti-csrf</tt> directive is designed to be a first line of defense against CSRF attacks. If the CSP policy contains the <tt>anti-csrf</tt> directive, the directive has the following effects: <br />
<br />
<ol><br />
<li>When the user agent submits any HTTP request in context of the document with enabled CSP <tt>anti-csrf</tt> directive, where such request is classified as one of:<br />
<ol style="list-style-type:lower-alpha"><br />
<li>external resource load (e.g., <tt>img src</tt>, <tt>link href</tt>, <tt>script src</tt>, <tt>iframe src</tt>, etc.),</li><br />
<li>link activation,</li><br />
<li>form action,</li><br />
</ol><br />
the HTTP request SHALL include a <tt>Cookie</tt> request header ONLY when the requested URI is contained in the [[Security/CSP/BaseModule#Semantics|<tt>self</tt>]] set of URIs. This is a NECESSARY condition for including a <tt>Cookie</tt> request header. Other NECESSARY and SUFFICIENT conditions for including a <tt>Cookie</tt> request header are outside the scope of CSRFModule.</li><br />
<li>For all other HTTP requests in context of the document with enabled CSP <tt>anti-csrf</tt> directive, the <tt>Cookie</tt> request header SHALL NOT be included in the request.</li><br />
</ol><br />
<br />
The <tt>anti-csrf</tt> directive protects websites against CSRF attacks by preventing authorization tokens stored in cookies from being sent in different-origin HTTP requests. Without <tt>anti-csrf</tt>, the attacker is able to cause the user agent to submit fraudulent requests to websites where the user has an active, authenticated browsing session.<br />
<br />
The <tt>anti-csrf</tt> directive DOES NOT protect a website against CSRF attacks against itself (where <i>itself</i> is defined as the set of <tt>self</tt> URIs). Nor does <tt>anti-csrf</tt> protect against CSRF for such websites that authorize HTTP requests by some mechanism other than <tt>Cookie</tt> request headers (e.g., implicit authorization based on requester's IP address).<br />
<br />
<b>Documents that enable <tt>anti-csrf</tt> must not depend on external resources that are only accessible via <tt>Cookie</tt> authenticated HTTP request.</b><br />
<br />
= Examples =<br />
<br />
TODO: Add some examples.<br />
<br />
= Open Issues =<br />
<br />
This section contains a list of open issues. <br />
<br />
*The list of HTTP requests where <tt>Cookie</tt> header is allowed to be sent must be exhaustive.<br />
*The CSP policy should be allowed to contain URI that are excepted from <tt>anti-csrf</tt> restrictions.</div>Mtlhttps://wiki.mozilla.org/index.php?title=User:Mtl&diff=177728User:Mtl2009-10-22T15:45:21Z<p>Mtl: /* Threat Model */</p>
<hr />
<div>= Overview =<br />
<br />
This document defines the CSRFModule, which contains the cross-site request forgery mitigations.<br />
The CSRFModule lets web developers mitigate CSRF attacks by disabling unneeded functionality used by attackers to mount CSRF attacks.<br />
<br />
= Dependencies =<br />
<br />
This module depends on the [[Security/CSP/BaseModule|BaseModule]].<br />
<br />
= Threat Model =<br />
<br />
The CSRFModule seeks to help web developers reduce the severity of [[http://en.wikipedia.org/wiki/Cross-site_request_forgery|cross-site request forgery]] vulnerabilities in web sites. In particular, the CSRFModule is concerned with defending against an attacker with the following abilities: <br />
<br />
*The attacker can inject a sequence of bytes into a target web page. <br />
*The attacker can cause the user to visit the target web page.<br />
<br />
We further assume the web developer wishes to prevent the attacker from achieving the following goals: <br />
<br />
*The attacker causes the user's browser, upon rendering the target web page, to send fraudulent HTTP requests on the user's behalf.<br />
<br />
We assume that the browser properly implements the same-origin policy and does not contain any privilege escalation vulnerabilities.<br />
<br />
= Syntax =<br />
<br />
The CSRFModule introduces the following directive: <br />
<pre>directive = "anti-csrf"</pre><br />
<br />
= Semantics =<br />
<br />
This section describes the semantics of the directive introduced in the CSRFModule.<br />
<br />
== <tt>anti-csrf</tt> ==<br />
<br />
The <tt>anti-csrf</tt> directive is designed to be a first line of defense against CSRF attacks. If the CSP policy contains the <tt>anti-csrf</tt> directive, the directive has the following effects: <br />
<br />
<ol><br />
<li>When the user agent submits any HTTP request in context of the document with enabled CSP <tt>anti-csrf</tt> directive, where such request is classified as one of:<br />
<ol style="list-style-type:lower-alpha"><br />
<li>external resource load (e.g., <tt>img src</tt>, <tt>link href</tt>, <tt>script src</tt>, <tt>iframe src</tt>, etc.),</li><br />
<li>link activation,</li><br />
<li>form action,</li><br />
</ol><br />
the HTTP request SHALL include a <tt>Cookie</tt> request header ONLY when the requested URI is contained in the [[Security/CSP/BaseModule#Semantics|<tt>self</tt>]] set of URIs. This is a NECESSARY condition for including a <tt>Cookie</tt> request header. Other NECESSARY and SUFFICIENT conditions for including a <tt>Cookie</tt> request header are outside the scope of CSRFModule.</li><br />
<li>For all other HTTP requests in context of the document with enabled CSP <tt>anti-csrf</tt> directive, the <tt>Cookie</tt> request header SHALL NOT be included in the request.</li><br />
</ol><br />
<br />
The <tt>anti-csrf</tt> directive protects websites against CSRF attacks by preventing authorization tokens stored in cookies from being sent in different-origin HTTP requests. Without <tt>anti-csrf</tt>, the attacker is able to cause the user agent to submit fraudulent requests to websites where the user has an active, authenticated browsing session.<br />
<br />
The <tt>anti-csrf</tt> directive DOES NOT protect a website against CSRF attacks against itself (where <i>itself</i> is defined as the set of <tt>self</tt> URIs). Nor does <tt>anti-csrf</tt> protect against CSRF for such websites that authorize HTTP requests by some mechanism other than <tt>Cookie</tt> request headers (e.g., implicit authorization based on requester's IP address).<br />
<br />
<b>Documents that enable <tt>anti-csrf</tt> must not depend on external resources that are only accessible via <tt>Cookie</tt> authenticated HTTP request.</b><br />
<br />
= Examples =<br />
<br />
TODO: Add some examples.<br />
<br />
= Open Issues =<br />
<br />
This section contains a list of open issues. <br />
<br />
*The list of HTTP requests where <tt>Cookie</tt> header is allowed to be sent must be exhaustive.<br />
*The CSP policy should be allowed to contain URI that are excepted from <tt>anti-csrf</tt> restrictions.</div>Mtlhttps://wiki.mozilla.org/index.php?title=User:Mtl&diff=177726User:Mtl2009-10-22T15:44:21Z<p>Mtl: /* Open Issues */</p>
<hr />
<div>= Overview =<br />
<br />
This document defines the CSRFModule, which contains the cross-site request forgery mitigations.<br />
The CSRFModule lets web developers mitigate CSRF attacks by disabling unneeded functionality used by attackers to mount CSRF attacks.<br />
<br />
= Dependencies =<br />
<br />
This module depends on the [[Security/CSP/BaseModule|BaseModule]].<br />
<br />
= Threat Model =<br />
<br />
The CSRFModule seeks to help web developers reduce the severity of cross-site request forgery vulnerabilities in web sites. In particular, the CSRFModule is concerned with defending against an attacker with the following abilities: <br />
<br />
*The attacker can inject a sequence of bytes into a target web page. <br />
*The attacker can cause the user to visit the target web page.<br />
<br />
We further assume the web developer wishes to prevent the attacker from achieving the following goals: <br />
<br />
*The attacker causes the user's browser, upon rendering the target web page, to send fraudulent HTTP requests on the user's behalf.<br />
<br />
We assume that the browser properly implements the same-origin policy and does not contain any privilege escalation vulnerabilities.<br />
<br />
= Syntax =<br />
<br />
The CSRFModule introduces the following directive: <br />
<pre>directive = "anti-csrf"</pre><br />
<br />
= Semantics =<br />
<br />
This section describes the semantics of the directive introduced in the CSRFModule.<br />
<br />
== <tt>anti-csrf</tt> ==<br />
<br />
The <tt>anti-csrf</tt> directive is designed to be a first line of defense against CSRF attacks. If the CSP policy contains the <tt>anti-csrf</tt> directive, the directive has the following effects: <br />
<br />
<ol><br />
<li>When the user agent submits any HTTP request in context of the document with enabled CSP <tt>anti-csrf</tt> directive, where such request is classified as one of:<br />
<ol style="list-style-type:lower-alpha"><br />
<li>external resource load (e.g., <tt>img src</tt>, <tt>link href</tt>, <tt>script src</tt>, <tt>iframe src</tt>, etc.),</li><br />
<li>link activation,</li><br />
<li>form action,</li><br />
</ol><br />
the HTTP request SHALL include a <tt>Cookie</tt> request header ONLY when the requested URI is contained in the [[Security/CSP/BaseModule#Semantics|<tt>self</tt>]] set of URIs. This is a NECESSARY condition for including a <tt>Cookie</tt> request header. Other NECESSARY and SUFFICIENT conditions for including a <tt>Cookie</tt> request header are outside the scope of CSRFModule.</li><br />
<li>For all other HTTP requests in context of the document with enabled CSP <tt>anti-csrf</tt> directive, the <tt>Cookie</tt> request header SHALL NOT be included in the request.</li><br />
</ol><br />
<br />
The <tt>anti-csrf</tt> directive protects websites against CSRF attacks by preventing authorization tokens stored in cookies from being sent in different-origin HTTP requests. Without <tt>anti-csrf</tt>, the attacker is able to cause the user agent to submit fraudulent requests to websites where the user has an active, authenticated browsing session.<br />
<br />
The <tt>anti-csrf</tt> directive DOES NOT protect a website against CSRF attacks against itself (where <i>itself</i> is defined as the set of <tt>self</tt> URIs). Nor does <tt>anti-csrf</tt> protect against CSRF for such websites that authorize HTTP requests by some mechanism other than <tt>Cookie</tt> request headers (e.g., implicit authorization based on requester's IP address).<br />
<br />
<b>Documents that enable <tt>anti-csrf</tt> must not depend on external resources that are only accessible via <tt>Cookie</tt> authenticated HTTP request.</b><br />
<br />
= Examples =<br />
<br />
TODO: Add some examples.<br />
<br />
= Open Issues =<br />
<br />
This section contains a list of open issues. <br />
<br />
*The list of HTTP requests where <tt>Cookie</tt> header is allowed to be sent must be exhaustive.<br />
*The CSP policy should be allowed to contain URI that are excepted from <tt>anti-csrf</tt> restrictions.</div>Mtlhttps://wiki.mozilla.org/index.php?title=User:Mtl&diff=177723User:Mtl2009-10-22T15:42:32Z<p>Mtl: /* anti-csrf */</p>
<hr />
<div>= Overview =<br />
<br />
This document defines the CSRFModule, which contains the cross-site request forgery mitigations.<br />
The CSRFModule lets web developers mitigate CSRF attacks by disabling unneeded functionality used by attackers to mount CSRF attacks.<br />
<br />
= Dependencies =<br />
<br />
This module depends on the [[Security/CSP/BaseModule|BaseModule]].<br />
<br />
= Threat Model =<br />
<br />
The CSRFModule seeks to help web developers reduce the severity of cross-site request forgery vulnerabilities in web sites. In particular, the CSRFModule is concerned with defending against an attacker with the following abilities: <br />
<br />
*The attacker can inject a sequence of bytes into a target web page. <br />
*The attacker can cause the user to visit the target web page.<br />
<br />
We further assume the web developer wishes to prevent the attacker from achieving the following goals: <br />
<br />
*The attacker causes the user's browser, upon rendering the target web page, to send fraudulent HTTP requests on the user's behalf.<br />
<br />
We assume that the browser properly implements the same-origin policy and does not contain any privilege escalation vulnerabilities.<br />
<br />
= Syntax =<br />
<br />
The CSRFModule introduces the following directive: <br />
<pre>directive = "anti-csrf"</pre><br />
<br />
= Semantics =<br />
<br />
This section describes the semantics of the directive introduced in the CSRFModule.<br />
<br />
== <tt>anti-csrf</tt> ==<br />
<br />
The <tt>anti-csrf</tt> directive is designed to be a first line of defense against CSRF attacks. If the CSP policy contains the <tt>anti-csrf</tt> directive, the directive has the following effects: <br />
<br />
<ol><br />
<li>When the user agent submits any HTTP request in context of the document with enabled CSP <tt>anti-csrf</tt> directive, where such request is classified as one of:<br />
<ol style="list-style-type:lower-alpha"><br />
<li>external resource load (e.g., <tt>img src</tt>, <tt>link href</tt>, <tt>script src</tt>, <tt>iframe src</tt>, etc.),</li><br />
<li>link activation,</li><br />
<li>form action,</li><br />
</ol><br />
the HTTP request SHALL include a <tt>Cookie</tt> request header ONLY when the requested URI is contained in the [[Security/CSP/BaseModule#Semantics|<tt>self</tt>]] set of URIs. This is a NECESSARY condition for including a <tt>Cookie</tt> request header. Other NECESSARY and SUFFICIENT conditions for including a <tt>Cookie</tt> request header are outside the scope of CSRFModule.</li><br />
<li>For all other HTTP requests in context of the document with enabled CSP <tt>anti-csrf</tt> directive, the <tt>Cookie</tt> request header SHALL NOT be included in the request.</li><br />
</ol><br />
<br />
The <tt>anti-csrf</tt> directive protects websites against CSRF attacks by preventing authorization tokens stored in cookies from being sent in different-origin HTTP requests. Without <tt>anti-csrf</tt>, the attacker is able to cause the user agent to submit fraudulent requests to websites where the user has an active, authenticated browsing session.<br />
<br />
The <tt>anti-csrf</tt> directive DOES NOT protect a website against CSRF attacks against itself (where <i>itself</i> is defined as the set of <tt>self</tt> URIs). Nor does <tt>anti-csrf</tt> protect against CSRF for such websites that authorize HTTP requests by some mechanism other than <tt>Cookie</tt> request headers (e.g., implicit authorization based on requester's IP address).<br />
<br />
<b>Documents that enable <tt>anti-csrf</tt> must not depend on external resources that are only accessible via <tt>Cookie</tt> authenticated HTTP request.</b><br />
<br />
= Examples =<br />
<br />
TODO: Add some examples.<br />
<br />
= Open Issues =<br />
<br />
This section contains a list of open issues.&nbsp; <br />
<br />
*The list of HTTP requests where <tt>Cookie</tt> header is allowed to be sent must be made exhaustive.</div>Mtlhttps://wiki.mozilla.org/index.php?title=User:Mtl&diff=177722User:Mtl2009-10-22T15:40:51Z<p>Mtl: /* Open Issues */</p>
<hr />
<div>= Overview =<br />
<br />
This document defines the CSRFModule, which contains the cross-site request forgery mitigations.<br />
The CSRFModule lets web developers mitigate CSRF attacks by disabling unneeded functionality used by attackers to mount CSRF attacks.<br />
<br />
= Dependencies =<br />
<br />
This module depends on the [[Security/CSP/BaseModule|BaseModule]].<br />
<br />
= Threat Model =<br />
<br />
The CSRFModule seeks to help web developers reduce the severity of cross-site request forgery vulnerabilities in web sites. In particular, the CSRFModule is concerned with defending against an attacker with the following abilities: <br />
<br />
*The attacker can inject a sequence of bytes into a target web page. <br />
*The attacker can cause the user to visit the target web page.<br />
<br />
We further assume the web developer wishes to prevent the attacker from achieving the following goals: <br />
<br />
*The attacker causes the user's browser, upon rendering the target web page, to send fraudulent HTTP requests on the user's behalf.<br />
<br />
We assume that the browser properly implements the same-origin policy and does not contain any privilege escalation vulnerabilities.<br />
<br />
= Syntax =<br />
<br />
The CSRFModule introduces the following directive: <br />
<pre>directive = "anti-csrf"</pre><br />
<br />
= Semantics =<br />
<br />
This section describes the semantics of the directive introduced in the CSRFModule.<br />
<br />
== <tt>anti-csrf</tt> ==<br />
<br />
The <tt>anti-csrf</tt> directive is designed to be a first line of defense against CSRF attacks. If the CSP policy contains the <tt>anti-csrf</tt> directive, the directive has the following effects: <br />
<br />
<ol><br />
<li>When the user agent submits any HTTP request in context of the document with enabled CSP <tt>anti-csrf</tt> directive, where such request is classified as one of:<br />
<ol style="list-style-type:lower-alpha"><br />
<li>external resource load (e.g., <tt>img src</tt>, <tt>link href</tt>, <tt>script src</tt>, <tt>iframe src</tt>, etc.),</li><br />
<li>link activation,</li><br />
<li>form action,</li><br />
</ol><br />
the HTTP request SHALL include a <tt>Cookie</tt> request header ONLY when the requested URI is contained in the [[Security/CSP/BaseModule#Semantics|<tt>self</tt>]] set of URIs. This is a NECESSARY condition for including a <tt>Cookie</tt> request header. Other NECESSARY and SUFFICIENT conditions for including a <tt>Cookie</tt> request header are outside the scope of CSRFModule.</li><br />
<li>For all other HTTP requests in context of the document with enabled CSP <tt>anti-csrf</tt> directive, the <tt>Cookie</tt> request header SHALL NOT be included in the request.</li><br />
</ol><br />
<br />
The <tt>anti-csrf</tt> directive protects websites against CSRF attacks by preventing authorization tokens stored in cookies from being sent in different-origin HTTP requests. Without <tt>anti-csrf</tt>, the attacker is able to cause the user agent to submit fraudulent requests to websites where the user has an active, authenticated browsing session.<br />
<br />
The <tt>anti-csrf</tt> directive DOES NOT protect a website against CSRF attacks against itself (where <i>itself</i> is defined as the set of <tt>self</tt> URIs). Nor does <tt>anti-csrf</tt> protect against CSRF for such websites that authorize HTTP requests by some mechanism other than <tt>Cookie</tt> request headers (e.g., implicit authorization based on requester's IP address).<br />
<br />
= Examples =<br />
<br />
TODO: Add some examples.<br />
<br />
= Open Issues =<br />
<br />
This section contains a list of open issues.&nbsp; <br />
<br />
*The list of HTTP requests where <tt>Cookie</tt> header is allowed to be sent must be made exhaustive.</div>Mtlhttps://wiki.mozilla.org/index.php?title=User:Mtl&diff=177721User:Mtl2009-10-22T15:37:52Z<p>Mtl: /* anti-csrf */</p>
<hr />
<div>= Overview =<br />
<br />
This document defines the CSRFModule, which contains the cross-site request forgery mitigations.<br />
The CSRFModule lets web developers mitigate CSRF attacks by disabling unneeded functionality used by attackers to mount CSRF attacks.<br />
<br />
= Dependencies =<br />
<br />
This module depends on the [[Security/CSP/BaseModule|BaseModule]].<br />
<br />
= Threat Model =<br />
<br />
The CSRFModule seeks to help web developers reduce the severity of cross-site request forgery vulnerabilities in web sites. In particular, the CSRFModule is concerned with defending against an attacker with the following abilities: <br />
<br />
*The attacker can inject a sequence of bytes into a target web page. <br />
*The attacker can cause the user to visit the target web page.<br />
<br />
We further assume the web developer wishes to prevent the attacker from achieving the following goals: <br />
<br />
*The attacker causes the user's browser, upon rendering the target web page, to send fraudulent HTTP requests on the user's behalf.<br />
<br />
We assume that the browser properly implements the same-origin policy and does not contain any privilege escalation vulnerabilities.<br />
<br />
= Syntax =<br />
<br />
The CSRFModule introduces the following directive: <br />
<pre>directive = "anti-csrf"</pre><br />
<br />
= Semantics =<br />
<br />
This section describes the semantics of the directive introduced in the CSRFModule.<br />
<br />
== <tt>anti-csrf</tt> ==<br />
<br />
The <tt>anti-csrf</tt> directive is designed to be a first line of defense against CSRF attacks. If the CSP policy contains the <tt>anti-csrf</tt> directive, the directive has the following effects: <br />
<br />
<ol><br />
<li>When the user agent submits any HTTP request in context of the document with enabled CSP <tt>anti-csrf</tt> directive, where such request is classified as one of:<br />
<ol style="list-style-type:lower-alpha"><br />
<li>external resource load (e.g., <tt>img src</tt>, <tt>link href</tt>, <tt>script src</tt>, <tt>iframe src</tt>, etc.),</li><br />
<li>link activation,</li><br />
<li>form action,</li><br />
</ol><br />
the HTTP request SHALL include a <tt>Cookie</tt> request header ONLY when the requested URI is contained in the [[Security/CSP/BaseModule#Semantics|<tt>self</tt>]] set of URIs. This is a NECESSARY condition for including a <tt>Cookie</tt> request header. Other NECESSARY and SUFFICIENT conditions for including a <tt>Cookie</tt> request header are outside the scope of CSRFModule.</li><br />
<li>For all other HTTP requests in context of the document with enabled CSP <tt>anti-csrf</tt> directive, the <tt>Cookie</tt> request header SHALL NOT be included in the request.</li><br />
</ol><br />
<br />
The <tt>anti-csrf</tt> directive protects websites against CSRF attacks by preventing authorization tokens stored in cookies from being sent in different-origin HTTP requests. Without <tt>anti-csrf</tt>, the attacker is able to cause the user agent to submit fraudulent requests to websites where the user has an active, authenticated browsing session.<br />
<br />
The <tt>anti-csrf</tt> directive DOES NOT protect a website against CSRF attacks against itself (where <i>itself</i> is defined as the set of <tt>self</tt> URIs). Nor does <tt>anti-csrf</tt> protect against CSRF for such websites that authorize HTTP requests by some mechanism other than <tt>Cookie</tt> request headers (e.g., implicit authorization based on requester's IP address).<br />
<br />
= Examples =<br />
<br />
TODO: Add some examples.<br />
<br />
= Open Issues =<br />
<br />
This section contains a list of open issues.&nbsp; <br />
<br />
*XBL bindings. &nbsp;We should disable XBL bindings for the block-xss directive, but they are a non-standard feature, so it's unclear how to write normative requirements for them.</div>Mtlhttps://wiki.mozilla.org/index.php?title=User:Mtl&diff=177719User:Mtl2009-10-22T15:34:31Z<p>Mtl: /* anti-csrf */</p>
<hr />
<div>= Overview =<br />
<br />
This document defines the CSRFModule, which contains the cross-site request forgery mitigations.<br />
The CSRFModule lets web developers mitigate CSRF attacks by disabling unneeded functionality used by attackers to mount CSRF attacks.<br />
<br />
= Dependencies =<br />
<br />
This module depends on the [[Security/CSP/BaseModule|BaseModule]].<br />
<br />
= Threat Model =<br />
<br />
The CSRFModule seeks to help web developers reduce the severity of cross-site request forgery vulnerabilities in web sites. In particular, the CSRFModule is concerned with defending against an attacker with the following abilities: <br />
<br />
*The attacker can inject a sequence of bytes into a target web page. <br />
*The attacker can cause the user to visit the target web page.<br />
<br />
We further assume the web developer wishes to prevent the attacker from achieving the following goals: <br />
<br />
*The attacker causes the user's browser, upon rendering the target web page, to send fraudulent HTTP requests on the user's behalf.<br />
<br />
We assume that the browser properly implements the same-origin policy and does not contain any privilege escalation vulnerabilities.<br />
<br />
= Syntax =<br />
<br />
The CSRFModule introduces the following directive: <br />
<pre>directive = "anti-csrf"</pre><br />
<br />
= Semantics =<br />
<br />
This section describes the semantics of the directive introduced in the CSRFModule.<br />
<br />
== <tt>anti-csrf</tt> ==<br />
<br />
The <tt>anti-csrf</tt> directive is designed to be a first line of defense against CSRF attacks. If the CSP policy contains the <tt>anti-csrf</tt> directive, the directive has the following effects: <br />
<br />
<ol><br />
<li>When the user agent submits any HTTP request in context of the document with enabled CSP <tt>anti-csrf</tt> directive, where such request is classified as one of:<br />
<ol style="list-style-type:lower-alpha"><br />
<li>external resource load (e.g., <tt>img src</tt>, <tt>link href</tt>, <tt>script src</tt>, <tt>iframe src</tt>, etc.),</li><br />
<li>link activation,</li><br />
<li>form action,</li><br />
</ol><br />
the HTTP request SHALL include a <tt>Cookie</tt> request header ONLY when the requested URI is contained in the [[Security/CSP/BaseModule#Semantics|<tt>self</tt>]] set of URIs. This is a NECESSARY condition for including a <tt>Cookie</tt> request header. Other NECESSARY and SUFFICIENT conditions for including a <tt>Cookie</tt> request header are outside the scope of CSRFModule.</li><br />
<li>For all other HTTP requests in context of the document with enabled CSP <tt>anti-csrf</tt> directive, the <tt>Cookie</tt> request header SHALL NOT be included in the request.</li><br />
</ol><br />
<br />
The <tt>anti-csrf</tt> directive protects websites against CSRF attacks by preventing authorization tokens stored in cookies from being sent in different-origin HTTP requests. Without <tt>anti-csrf</tt>, the attacker is able to cause the user agent to submit fraudulent requests to websites where the user has an active, authenticated browsing session.<br />
<br />
= Examples =<br />
<br />
TODO: Add some examples.<br />
<br />
= Open Issues =<br />
<br />
This section contains a list of open issues.&nbsp; <br />
<br />
*XBL bindings. &nbsp;We should disable XBL bindings for the block-xss directive, but they are a non-standard feature, so it's unclear how to write normative requirements for them.</div>Mtlhttps://wiki.mozilla.org/index.php?title=User:Mtl&diff=177712User:Mtl2009-10-22T15:21:38Z<p>Mtl: /* anti-csrf */</p>
<hr />
<div>= Overview =<br />
<br />
This document defines the CSRFModule, which contains the cross-site request forgery mitigations.<br />
The CSRFModule lets web developers mitigate CSRF attacks by disabling unneeded functionality used by attackers to mount CSRF attacks.<br />
<br />
= Dependencies =<br />
<br />
This module depends on the [[Security/CSP/BaseModule|BaseModule]].<br />
<br />
= Threat Model =<br />
<br />
The CSRFModule seeks to help web developers reduce the severity of cross-site request forgery vulnerabilities in web sites. In particular, the CSRFModule is concerned with defending against an attacker with the following abilities: <br />
<br />
*The attacker can inject a sequence of bytes into a target web page. <br />
*The attacker can cause the user to visit the target web page.<br />
<br />
We further assume the web developer wishes to prevent the attacker from achieving the following goals: <br />
<br />
*The attacker causes the user's browser, upon rendering the target web page, to send fraudulent HTTP requests on the user's behalf.<br />
<br />
We assume that the browser properly implements the same-origin policy and does not contain any privilege escalation vulnerabilities.<br />
<br />
= Syntax =<br />
<br />
The CSRFModule introduces the following directive: <br />
<pre>directive = "anti-csrf"</pre><br />
<br />
= Semantics =<br />
<br />
This section describes the semantics of the directive introduced in the CSRFModule.<br />
<br />
== <tt>anti-csrf</tt> ==<br />
<br />
The <tt>anti-csrf</tt> directive is designed to be a first line of defense against CSRF attacks. If the CSP policy contains the <tt>anti-csrf</tt> directive, the directive has the following effects: <br />
<br />
<ol><br />
<li>When the user agent submits any HTTP request in context of the document with enabled CSP <tt>anti-csrf</tt> directive, where such request is classified as one of:<br />
<ol style="list-style-type:lower-alpha"><br />
<li>external resource load (e.g., <tt>img src</tt>, <tt>link href</tt>, <tt>script src</tt>, <tt>iframe src</tt>, etc.),</li><br />
<li>link activation,</li><br />
<li>form action,</li><br />
</ol><br />
the HTTP request SHALL include a <tt>Cookie</tt> request header ONLY when the requested URI is contained in the [[Security/CSP/BaseModule#Semantics|<tt>self</tt>]] set of URIs. This is a NECESSARY condition for including a <tt>Cookie</tt> request header. Other NECESSARY and SUFFICIENT conditions for including a <tt>Cookie</tt> request header are outside the scope of CSRFModule.</li><br />
<li>For all other HTTP requests in context of the document with enabled CSP <tt>anti-csrf</tt> directive, the <tt>Cookie</tt> request header SHALL NOT be included in the request.</li><br />
</ol><br />
<br />
<br />
The block-xss directive blocks inline script because an XSS attacker can run JavaScript by inject script tags or inline event handlers into the target page. &nbsp;The block-xss directive also blocks loading external scripts and plug-ins from other origins to prevent the XSS attacker from injecting a script tag that loads a malicious script from attacker.com.<br><br />
<br />
= Examples =<br />
<br />
TODO: Add some examples.<br />
<br />
= Open Issues =<br />
<br />
This section contains a list of open issues.&nbsp; <br />
<br />
*XBL bindings. &nbsp;We should disable XBL bindings for the block-xss directive, but they are a non-standard feature, so it's unclear how to write normative requirements for them.</div>Mtlhttps://wiki.mozilla.org/index.php?title=User:Mtl&diff=177711User:Mtl2009-10-22T15:20:16Z<p>Mtl: /* anti-csrf */</p>
<hr />
<div>= Overview =<br />
<br />
This document defines the CSRFModule, which contains the cross-site request forgery mitigations.<br />
The CSRFModule lets web developers mitigate CSRF attacks by disabling unneeded functionality used by attackers to mount CSRF attacks.<br />
<br />
= Dependencies =<br />
<br />
This module depends on the [[Security/CSP/BaseModule|BaseModule]].<br />
<br />
= Threat Model =<br />
<br />
The CSRFModule seeks to help web developers reduce the severity of cross-site request forgery vulnerabilities in web sites. In particular, the CSRFModule is concerned with defending against an attacker with the following abilities: <br />
<br />
*The attacker can inject a sequence of bytes into a target web page. <br />
*The attacker can cause the user to visit the target web page.<br />
<br />
We further assume the web developer wishes to prevent the attacker from achieving the following goals: <br />
<br />
*The attacker causes the user's browser, upon rendering the target web page, to send fraudulent HTTP requests on the user's behalf.<br />
<br />
We assume that the browser properly implements the same-origin policy and does not contain any privilege escalation vulnerabilities.<br />
<br />
= Syntax =<br />
<br />
The CSRFModule introduces the following directive: <br />
<pre>directive = "anti-csrf"</pre><br />
<br />
= Semantics =<br />
<br />
This section describes the semantics of the directive introduced in the CSRFModule.<br />
<br />
== <tt>anti-csrf</tt> ==<br />
<br />
The <tt>anti-csrf</tt> directive is designed to be a first line of defense against CSRF attacks. If the CSP policy contains the <tt>anti-csrf</tt> directive, the directive has the following effects: <br />
<br />
<ol><br />
<li>When the user agent submits any HTTP request in context of the document with enabled CSP <tt>anti-csrf</tt> directive, where such request is classified as one of:<br />
<ol style="list-style-type:lower-alpha"><br />
<li>external resource load (e.g., <tt>img src</tt>, <tt>link href</tt>, <tt>script src</tt>, <tt>iframe src</tt>, etc.),</li><br />
<li>link activation,</li><br />
<li>form action,</li><br />
</ol><br />
the HTTP request SHALL include a <tt>Cookie</tt> request header ONLY when the requested URI is contained in the [[Security/CSP/BaseModule#Semantics|<tt>self</tt>]] set of URIs. This is a NECESSARY condition for including a <tt>Cookie</tt> request header. Other SUFFICIENT conditions for including a <tt>Cookie</tt> request header are outside the scope of CSRFModule.</li><br />
<li>For all other HTTP requests in context of the document with enabled CSP <tt>anti-csrf</tt> directive, the <tt>Cookie</tt> request header SHALL NOT be included in the request.</li><br />
</ol><br />
<br />
<br />
The block-xss directive blocks inline script because an XSS attacker can run JavaScript by inject script tags or inline event handlers into the target page. &nbsp;The block-xss directive also blocks loading external scripts and plug-ins from other origins to prevent the XSS attacker from injecting a script tag that loads a malicious script from attacker.com.<br><br />
<br />
= Examples =<br />
<br />
TODO: Add some examples.<br />
<br />
= Open Issues =<br />
<br />
This section contains a list of open issues.&nbsp; <br />
<br />
*XBL bindings. &nbsp;We should disable XBL bindings for the block-xss directive, but they are a non-standard feature, so it's unclear how to write normative requirements for them.</div>Mtlhttps://wiki.mozilla.org/index.php?title=User:Mtl&diff=177710User:Mtl2009-10-22T15:15:02Z<p>Mtl: /* anti-csrf */</p>
<hr />
<div>= Overview =<br />
<br />
This document defines the CSRFModule, which contains the cross-site request forgery mitigations.<br />
The CSRFModule lets web developers mitigate CSRF attacks by disabling unneeded functionality used by attackers to mount CSRF attacks.<br />
<br />
= Dependencies =<br />
<br />
This module depends on the [[Security/CSP/BaseModule|BaseModule]].<br />
<br />
= Threat Model =<br />
<br />
The CSRFModule seeks to help web developers reduce the severity of cross-site request forgery vulnerabilities in web sites. In particular, the CSRFModule is concerned with defending against an attacker with the following abilities: <br />
<br />
*The attacker can inject a sequence of bytes into a target web page. <br />
*The attacker can cause the user to visit the target web page.<br />
<br />
We further assume the web developer wishes to prevent the attacker from achieving the following goals: <br />
<br />
*The attacker causes the user's browser, upon rendering the target web page, to send fraudulent HTTP requests on the user's behalf.<br />
<br />
We assume that the browser properly implements the same-origin policy and does not contain any privilege escalation vulnerabilities.<br />
<br />
= Syntax =<br />
<br />
The CSRFModule introduces the following directive: <br />
<pre>directive = "anti-csrf"</pre><br />
<br />
= Semantics =<br />
<br />
This section describes the semantics of the directive introduced in the CSRFModule.<br />
<br />
== <tt>anti-csrf</tt> ==<br />
<br />
The <tt>anti-csrf</tt> directive is designed to be a first line of defense against CSRF attacks. If the CSP policy contains the <tt>anti-csrf</tt> directive, the directive has the following effects: <br />
<br />
<ol><br />
<li>When the browser submits any HTTP request in context of the document with enabled CSP <tt>anti-csrf</tt> directive, where such request is classified as one of:<br />
<ol style="list-style-type:lower-alpha"><br />
<li>external resource load (e.g., <tt>img src</tt>, <tt>link href</tt>, <tt>script src</tt>, <tt>iframe src</tt>, etc.),</li><br />
<li>link activation,</li><br />
<li>form action,</li><br />
</ol><br />
the HTTP request SHALL include <tt>Cookie</tt> request header ONLY when the requested URI is contained in the [[Security/CSP/BaseModule#Semantics|<tt>self</tt>]] set of URIs.</li><br />
<li>For all other HTTP requests in context of the document with enabled CSP <tt>anti-csrf</tt> directive, the <tt>Cookie</tt> request header SHALL NOT be included in the request.</li><br />
</ol><br />
<br />
<br />
The block-xss directive blocks inline script because an XSS attacker can run JavaScript by inject script tags or inline event handlers into the target page. &nbsp;The block-xss directive also blocks loading external scripts and plug-ins from other origins to prevent the XSS attacker from injecting a script tag that loads a malicious script from attacker.com.<br><br />
<br />
= Examples =<br />
<br />
TODO: Add some examples.<br />
<br />
= Open Issues =<br />
<br />
This section contains a list of open issues.&nbsp; <br />
<br />
*XBL bindings. &nbsp;We should disable XBL bindings for the block-xss directive, but they are a non-standard feature, so it's unclear how to write normative requirements for them.</div>Mtlhttps://wiki.mozilla.org/index.php?title=User:Mtl&diff=177709User:Mtl2009-10-22T15:11:25Z<p>Mtl: /* anti-csrf */</p>
<hr />
<div>= Overview =<br />
<br />
This document defines the CSRFModule, which contains the cross-site request forgery mitigations.<br />
The CSRFModule lets web developers mitigate CSRF attacks by disabling unneeded functionality used by attackers to mount CSRF attacks.<br />
<br />
= Dependencies =<br />
<br />
This module depends on the [[Security/CSP/BaseModule|BaseModule]].<br />
<br />
= Threat Model =<br />
<br />
The CSRFModule seeks to help web developers reduce the severity of cross-site request forgery vulnerabilities in web sites. In particular, the CSRFModule is concerned with defending against an attacker with the following abilities: <br />
<br />
*The attacker can inject a sequence of bytes into a target web page. <br />
*The attacker can cause the user to visit the target web page.<br />
<br />
We further assume the web developer wishes to prevent the attacker from achieving the following goals: <br />
<br />
*The attacker causes the user's browser, upon rendering the target web page, to send fraudulent HTTP requests on the user's behalf.<br />
<br />
We assume that the browser properly implements the same-origin policy and does not contain any privilege escalation vulnerabilities.<br />
<br />
= Syntax =<br />
<br />
The CSRFModule introduces the following directive: <br />
<pre>directive = "anti-csrf"</pre><br />
<br />
= Semantics =<br />
<br />
This section describes the semantics of the directive introduced in the CSRFModule.<br />
<br />
== <tt>anti-csrf</tt> ==<br />
<br />
The <tt>anti-csrf</tt> directive is designed to be a first line of defense against CSRF attacks. If the CSP policy contains the <tt>anti-csrf</tt> directive, the directive has the following effects: <br />
<br />
#When the browser submits any HTTP request in context of the document with enabled CSP <tt>anti-csrf</tt> directive, where such request is classified as one of:<br />
## external resource load (e.g., <tt>img src</tt>, <tt>link href</tt>, <tt>script src</tt>, <tt>iframe src</tt>, etc.),<br />
## link activation,<br />
## form action,<br />
the HTTP request SHALL include <tt>Cookie</tt> request header ONLY when the requested URI is contained in the [[Security/CSP/BaseModule#Semantics|<tt>self</tt>]] set of URIs.<br />
#For all other HTTP requests in context of the document with enabled CSP <tt>anti-csrf</tt> directive, the <tt>Cookie</tt> request header SHALL NOT be included in the request.<br />
<br />
<br />
The block-xss directive blocks inline script because an XSS attacker can run JavaScript by inject script tags or inline event handlers into the target page. &nbsp;The block-xss directive also blocks loading external scripts and plug-ins from other origins to prevent the XSS attacker from injecting a script tag that loads a malicious script from attacker.com.<br><br />
<br />
= Examples =<br />
<br />
TODO: Add some examples.<br />
<br />
= Open Issues =<br />
<br />
This section contains a list of open issues.&nbsp; <br />
<br />
*XBL bindings. &nbsp;We should disable XBL bindings for the block-xss directive, but they are a non-standard feature, so it's unclear how to write normative requirements for them.</div>Mtlhttps://wiki.mozilla.org/index.php?title=User:Mtl&diff=177699User:Mtl2009-10-22T14:59:39Z<p>Mtl: /* anti-csrf */</p>
<hr />
<div>= Overview =<br />
<br />
This document defines the CSRFModule, which contains the cross-site request forgery mitigations.<br />
The CSRFModule lets web developers mitigate CSRF attacks by disabling unneeded functionality used by attackers to mount CSRF attacks.<br />
<br />
= Dependencies =<br />
<br />
This module depends on the [[Security/CSP/BaseModule|BaseModule]].<br />
<br />
= Threat Model =<br />
<br />
The CSRFModule seeks to help web developers reduce the severity of cross-site request forgery vulnerabilities in web sites. In particular, the CSRFModule is concerned with defending against an attacker with the following abilities: <br />
<br />
*The attacker can inject a sequence of bytes into a target web page. <br />
*The attacker can cause the user to visit the target web page.<br />
<br />
We further assume the web developer wishes to prevent the attacker from achieving the following goals: <br />
<br />
*The attacker causes the user's browser, upon rendering the target web page, to send fraudulent HTTP requests on the user's behalf.<br />
<br />
We assume that the browser properly implements the same-origin policy and does not contain any privilege escalation vulnerabilities.<br />
<br />
= Syntax =<br />
<br />
The CSRFModule introduces the following directive: <br />
<pre>directive = "anti-csrf"</pre><br />
<br />
= Semantics =<br />
<br />
This section describes the semantics of the directive introduced in the CSRFModule.<br />
<br />
== <tt>anti-csrf</tt> ==<br />
<br />
The <tt>anti-csrf</tt> directive is designed to be a first line of defense against CSRF attacks. If the CSP policy contains the <tt>anti-csrf</tt> directive, the directive has the following effects: <br />
<br />
#When the browser submits any HTTP request for URI not contained in [[Security/CSP/BaseModule#Semantics|<tt>self</tt>]], when such request is performed in context (e.g., load external resource, link activation, form action, etc.) of the document with enabled CSP <tt>anti-csrf</tt> directive, the <tt>Cookie</tt> request header shall not be sent in the HTTP request.<br />
<br />
The block-xss directive blocks inline script because an XSS attacker can run JavaScript by inject script tags or inline event handlers into the target page. &nbsp;The block-xss directive also blocks loading external scripts and plug-ins from other origins to prevent the XSS attacker from injecting a script tag that loads a malicious script from attacker.com.<br><br />
<br />
= Examples =<br />
<br />
TODO: Add some examples.<br />
<br />
= Open Issues =<br />
<br />
This section contains a list of open issues.&nbsp; <br />
<br />
*XBL bindings. &nbsp;We should disable XBL bindings for the block-xss directive, but they are a non-standard feature, so it's unclear how to write normative requirements for them.</div>Mtlhttps://wiki.mozilla.org/index.php?title=User:Mtl&diff=177698User:Mtl2009-10-22T14:58:23Z<p>Mtl: /* anti-csrf */</p>
<hr />
<div>= Overview =<br />
<br />
This document defines the CSRFModule, which contains the cross-site request forgery mitigations.<br />
The CSRFModule lets web developers mitigate CSRF attacks by disabling unneeded functionality used by attackers to mount CSRF attacks.<br />
<br />
= Dependencies =<br />
<br />
This module depends on the [[Security/CSP/BaseModule|BaseModule]].<br />
<br />
= Threat Model =<br />
<br />
The CSRFModule seeks to help web developers reduce the severity of cross-site request forgery vulnerabilities in web sites. In particular, the CSRFModule is concerned with defending against an attacker with the following abilities: <br />
<br />
*The attacker can inject a sequence of bytes into a target web page. <br />
*The attacker can cause the user to visit the target web page.<br />
<br />
We further assume the web developer wishes to prevent the attacker from achieving the following goals: <br />
<br />
*The attacker causes the user's browser, upon rendering the target web page, to send fraudulent HTTP requests on the user's behalf.<br />
<br />
We assume that the browser properly implements the same-origin policy and does not contain any privilege escalation vulnerabilities.<br />
<br />
= Syntax =<br />
<br />
The CSRFModule introduces the following directive: <br />
<pre>directive = "anti-csrf"</pre><br />
<br />
= Semantics =<br />
<br />
This section describes the semantics of the directive introduced in the CSRFModule.<br />
<br />
== <tt>anti-csrf</tt> ==<br />
<br />
The <tt>anti-csrf</tt> directive is designed to be a first line of defense against CSRF attacks. If the CSP policy contains the <tt>anti-csrf</tt> directive, the directive has the following effects: <br />
<br />
#When the browser submits any HTTP request for URI not contained in [[Security/CSP/BaseModule#Semantics|<tt>self</tt>]], when such request is performed in context (e.g., load external resource, form action, etc.) of the document with enabled CSP <tt>anti-csrf</tt> directive, the <tt>Cookie</tt> request header shall not be sent in the HTTP request.<br />
<br />
The block-xss directive blocks inline script because an XSS attacker can run JavaScript by inject script tags or inline event handlers into the target page. &nbsp;The block-xss directive also blocks loading external scripts and plug-ins from other origins to prevent the XSS attacker from injecting a script tag that loads a malicious script from attacker.com.<br><br />
<br />
= Examples =<br />
<br />
TODO: Add some examples.<br />
<br />
= Open Issues =<br />
<br />
This section contains a list of open issues.&nbsp; <br />
<br />
*XBL bindings. &nbsp;We should disable XBL bindings for the block-xss directive, but they are a non-standard feature, so it's unclear how to write normative requirements for them.</div>Mtlhttps://wiki.mozilla.org/index.php?title=User:Mtl&diff=177591User:Mtl2009-10-21T22:18:21Z<p>Mtl: /* anti-csrf */</p>
<hr />
<div>= Overview =<br />
<br />
This document defines the CSRFModule, which contains the cross-site request forgery mitigations.<br />
The CSRFModule lets web developers mitigate CSRF attacks by disabling unneeded functionality used by attackers to mount CSRF attacks.<br />
<br />
= Dependencies =<br />
<br />
This module depends on the [[Security/CSP/BaseModule|BaseModule]].<br />
<br />
= Threat Model =<br />
<br />
The CSRFModule seeks to help web developers reduce the severity of cross-site request forgery vulnerabilities in web sites. In particular, the CSRFModule is concerned with defending against an attacker with the following abilities: <br />
<br />
*The attacker can inject a sequence of bytes into a target web page. <br />
*The attacker can cause the user to visit the target web page.<br />
<br />
We further assume the web developer wishes to prevent the attacker from achieving the following goals: <br />
<br />
*The attacker causes the user's browser, upon rendering the target web page, to send fraudulent HTTP requests on the user's behalf.<br />
<br />
We assume that the browser properly implements the same-origin policy and does not contain any privilege escalation vulnerabilities.<br />
<br />
= Syntax =<br />
<br />
The CSRFModule introduces the following directive: <br />
<pre>directive = "anti-csrf"</pre><br />
<br />
= Semantics =<br />
<br />
This section describes the semantics of the directive introduced in the CSRFModule.<br />
<br />
== anti-csrf ==<br />
<br />
The anti-csrf directive is designed to be a first line of defense against CSRF attacks. If the csp-policy contains the anti-csrf directive, the directive has the following effects: <br />
<br />
#The browser MUST NOT execute inline script in the current web page, including inline script elements and inline event handles. <br />
#The browser MUST NOT load external scripts or plug-in objects into the current web page from URLs other than "self", defined above. <br />
#The browser MUST ignore any JavaScript or Data URLs in the current web page.<br />
<br />
The block-xss directive blocks inline script because an XSS attacker can run JavaScript by inject script tags or inline event handlers into the target page. &nbsp;The block-xss directive also blocks loading external scripts and plug-ins from other origins to prevent the XSS attacker from injecting a script tag that loads a malicious script from attacker.com.<br><br />
<br />
= Examples =<br />
<br />
TODO: Add some examples.<br />
<br />
= Open Issues =<br />
<br />
This section contains a list of open issues.&nbsp; <br />
<br />
*XBL bindings. &nbsp;We should disable XBL bindings for the block-xss directive, but they are a non-standard feature, so it's unclear how to write normative requirements for them.</div>Mtlhttps://wiki.mozilla.org/index.php?title=User:Mtl&diff=177590User:Mtl2009-10-21T22:16:53Z<p>Mtl: /* Threat Model */</p>
<hr />
<div>= Overview =<br />
<br />
This document defines the CSRFModule, which contains the cross-site request forgery mitigations.<br />
The CSRFModule lets web developers mitigate CSRF attacks by disabling unneeded functionality used by attackers to mount CSRF attacks.<br />
<br />
= Dependencies =<br />
<br />
This module depends on the [[Security/CSP/BaseModule|BaseModule]].<br />
<br />
= Threat Model =<br />
<br />
The CSRFModule seeks to help web developers reduce the severity of cross-site request forgery vulnerabilities in web sites. In particular, the CSRFModule is concerned with defending against an attacker with the following abilities: <br />
<br />
*The attacker can inject a sequence of bytes into a target web page. <br />
*The attacker can cause the user to visit the target web page.<br />
<br />
We further assume the web developer wishes to prevent the attacker from achieving the following goals: <br />
<br />
*The attacker causes the user's browser, upon rendering the target web page, to send fraudulent HTTP requests on the user's behalf.<br />
<br />
We assume that the browser properly implements the same-origin policy and does not contain any privilege escalation vulnerabilities.<br />
<br />
= Syntax =<br />
<br />
The CSRFModule introduces the following directive: <br />
<pre>directive = "anti-csrf"</pre><br />
<br />
= Semantics =<br />
<br />
This section describes the semantics of the directive introduced in the CSRFModule.<br />
<br />
== anti-csrf ==<br />
<br />
The block-xss directive is designed to be a first line of defense against XSS attacks. &nbsp;The csp-policy contains at least one block-xss directive, the directive(s) have the following effects: <br />
<br />
#The browser MUST NOT execute inline script in the current web page, including inline script elements and inline event handles. <br />
#The browser MUST NOT load external scripts or plug-in objects into the current web page from URLs other than "self", defined above. <br />
#The browser MUST ignore any JavaScript or Data URLs in the current web page.<br />
<br />
The block-xss directive blocks inline script because an XSS attacker can run JavaScript by inject script tags or inline event handlers into the target page. &nbsp;The block-xss directive also blocks loading external scripts and plug-ins from other origins to prevent the XSS attacker from injecting a script tag that loads a malicious script from attacker.com.<br><br />
<br />
= Examples =<br />
<br />
TODO: Add some examples.<br />
<br />
= Open Issues =<br />
<br />
This section contains a list of open issues.&nbsp; <br />
<br />
*XBL bindings. &nbsp;We should disable XBL bindings for the block-xss directive, but they are a non-standard feature, so it's unclear how to write normative requirements for them.</div>Mtlhttps://wiki.mozilla.org/index.php?title=User:Mtl&diff=177589User:Mtl2009-10-21T22:16:21Z<p>Mtl: /* Threat Model */</p>
<hr />
<div>= Overview =<br />
<br />
This document defines the CSRFModule, which contains the cross-site request forgery mitigations.<br />
The CSRFModule lets web developers mitigate CSRF attacks by disabling unneeded functionality used by attackers to mount CSRF attacks.<br />
<br />
= Dependencies =<br />
<br />
This module depends on the [[Security/CSP/BaseModule|BaseModule]].<br />
<br />
= Threat Model =<br />
<br />
The CSRFModule seeks to help web developers reduce the severity of cross-site request forgery vulnerabilities in web sites. In particular, the CSRFModule is concerned with defending against an attacker with the following abilities: <br />
<br />
*The attacker can inject a sequence of bytes into a target web page. <br />
*The attacker can cause the user to visit the target web page.<br />
<br />
We further assume the web developer wishes to prevent the attacker from achieving the following goals: <br />
<br />
*The attacker causes the user's browser, upon rendering the target web page, to send fraudulent HTTP requests on behalf of the user.<br />
<br />
We assume that the browser properly implements the same-origin policy and does not contain any privilege escalation vulnerabilities.<br />
<br />
= Syntax =<br />
<br />
The CSRFModule introduces the following directive: <br />
<pre>directive = "anti-csrf"</pre><br />
<br />
= Semantics =<br />
<br />
This section describes the semantics of the directive introduced in the CSRFModule.<br />
<br />
== anti-csrf ==<br />
<br />
The block-xss directive is designed to be a first line of defense against XSS attacks. &nbsp;The csp-policy contains at least one block-xss directive, the directive(s) have the following effects: <br />
<br />
#The browser MUST NOT execute inline script in the current web page, including inline script elements and inline event handles. <br />
#The browser MUST NOT load external scripts or plug-in objects into the current web page from URLs other than "self", defined above. <br />
#The browser MUST ignore any JavaScript or Data URLs in the current web page.<br />
<br />
The block-xss directive blocks inline script because an XSS attacker can run JavaScript by inject script tags or inline event handlers into the target page. &nbsp;The block-xss directive also blocks loading external scripts and plug-ins from other origins to prevent the XSS attacker from injecting a script tag that loads a malicious script from attacker.com.<br><br />
<br />
= Examples =<br />
<br />
TODO: Add some examples.<br />
<br />
= Open Issues =<br />
<br />
This section contains a list of open issues.&nbsp; <br />
<br />
*XBL bindings. &nbsp;We should disable XBL bindings for the block-xss directive, but they are a non-standard feature, so it's unclear how to write normative requirements for them.</div>Mtlhttps://wiki.mozilla.org/index.php?title=User:Mtl&diff=177588User:Mtl2009-10-21T22:15:59Z<p>Mtl: /* Threat Model */</p>
<hr />
<div>= Overview =<br />
<br />
This document defines the CSRFModule, which contains the cross-site request forgery mitigations.<br />
The CSRFModule lets web developers mitigate CSRF attacks by disabling unneeded functionality used by attackers to mount CSRF attacks.<br />
<br />
= Dependencies =<br />
<br />
This module depends on the [[Security/CSP/BaseModule|BaseModule]].<br />
<br />
= Threat Model =<br />
<br />
The CSRFModule seeks to help web developers reduce the severity of cross-site request forgery vulnerabilities in web sites. In particular, the CSRFModule is concerned with defending against an attacker with the following abilities: <br />
<br />
*The attacker can inject a sequence of bytes into a target web page. <br />
*The attacker can cause the user to visit the target web page.<br />
<br />
We further assume the web developer wishes to prevent the attacker from achieving the following goals: <br />
<br />
*The attacker causes the user's browser, upon viewing the target web page, to send fraudulent HTTP requests on behalf of the user.<br />
<br />
We assume that the browser properly implements the same-origin policy and does not contain any privilege escalation vulnerabilities.<br />
<br />
= Syntax =<br />
<br />
The CSRFModule introduces the following directive: <br />
<pre>directive = "anti-csrf"</pre><br />
<br />
= Semantics =<br />
<br />
This section describes the semantics of the directive introduced in the CSRFModule.<br />
<br />
== anti-csrf ==<br />
<br />
The block-xss directive is designed to be a first line of defense against XSS attacks. &nbsp;The csp-policy contains at least one block-xss directive, the directive(s) have the following effects: <br />
<br />
#The browser MUST NOT execute inline script in the current web page, including inline script elements and inline event handles. <br />
#The browser MUST NOT load external scripts or plug-in objects into the current web page from URLs other than "self", defined above. <br />
#The browser MUST ignore any JavaScript or Data URLs in the current web page.<br />
<br />
The block-xss directive blocks inline script because an XSS attacker can run JavaScript by inject script tags or inline event handlers into the target page. &nbsp;The block-xss directive also blocks loading external scripts and plug-ins from other origins to prevent the XSS attacker from injecting a script tag that loads a malicious script from attacker.com.<br><br />
<br />
= Examples =<br />
<br />
TODO: Add some examples.<br />
<br />
= Open Issues =<br />
<br />
This section contains a list of open issues.&nbsp; <br />
<br />
*XBL bindings. &nbsp;We should disable XBL bindings for the block-xss directive, but they are a non-standard feature, so it's unclear how to write normative requirements for them.</div>Mtlhttps://wiki.mozilla.org/index.php?title=User:Mtl&diff=177587User:Mtl2009-10-21T22:14:04Z<p>Mtl: </p>
<hr />
<div>= Overview =<br />
<br />
This document defines the CSRFModule, which contains the cross-site request forgery mitigations.<br />
The CSRFModule lets web developers mitigate CSRF attacks by disabling unneeded functionality used by attackers to mount CSRF attacks.<br />
<br />
= Dependencies =<br />
<br />
This module depends on the [[Security/CSP/BaseModule|BaseModule]].<br />
<br />
= Threat Model =<br />
<br />
The CSRFModule seeks to help web developers reduce the severity of cross-site request forgery vulnerabilities in web sites. In particular, the CSRFModule is concerned with defending against an attacker with the following abilities: <br />
<br />
*The attacker can inject a sequence of bytes into a target web page. <br />
*The attacker can cause the user to visit the target web page.<br />
<br />
We further assume the web developer wishes to prevent the attacker from achieving the following goals: <br />
<br />
*The attacker causes the user's browser, upon viewing the target web page, to send fraudulent HTTP requests carrying the user's authorization credentials to a different web site.<br />
<br />
We assume that the browser properly implements the same-origin policy and does not contain any privilege escalation vulnerabilities.<br />
<br />
= Syntax =<br />
<br />
The CSRFModule introduces the following directive: <br />
<pre>directive = "anti-csrf"</pre><br />
<br />
= Semantics =<br />
<br />
This section describes the semantics of the directive introduced in the CSRFModule.<br />
<br />
== anti-csrf ==<br />
<br />
The block-xss directive is designed to be a first line of defense against XSS attacks. &nbsp;The csp-policy contains at least one block-xss directive, the directive(s) have the following effects: <br />
<br />
#The browser MUST NOT execute inline script in the current web page, including inline script elements and inline event handles. <br />
#The browser MUST NOT load external scripts or plug-in objects into the current web page from URLs other than "self", defined above. <br />
#The browser MUST ignore any JavaScript or Data URLs in the current web page.<br />
<br />
The block-xss directive blocks inline script because an XSS attacker can run JavaScript by inject script tags or inline event handlers into the target page. &nbsp;The block-xss directive also blocks loading external scripts and plug-ins from other origins to prevent the XSS attacker from injecting a script tag that loads a malicious script from attacker.com.<br><br />
<br />
= Examples =<br />
<br />
TODO: Add some examples.<br />
<br />
= Open Issues =<br />
<br />
This section contains a list of open issues.&nbsp; <br />
<br />
*XBL bindings. &nbsp;We should disable XBL bindings for the block-xss directive, but they are a non-standard feature, so it's unclear how to write normative requirements for them.</div>Mtlhttps://wiki.mozilla.org/index.php?title=User:Mtl&diff=177571User:Mtl2009-10-21T21:02:43Z<p>Mtl: Created page with '= Overview = This document defines the CSRFModule, which contains the cross-site request forgery mitigations. The CSRFModule lets web developers mitigate CSRF attacks by disabliā¦'</p>
<hr />
<div>= Overview =<br />
<br />
This document defines the CSRFModule, which contains the cross-site request forgery mitigations.<br />
The CSRFModule lets web developers mitigate CSRF attacks by disabling unneeded functionality used by attackers to mount CSRF attacks.<br />
<br />
= Dependencies =<br />
<br />
This module depends on the [[Security/CSP/BaseModule|BaseModule]].<br />
<br />
= Threat Model =<br />
<br />
The CSRFModule seeks to help web developers reduce the severity of cross-site request forgery vulnerabilities in web sites. In particular, the CSRFModule is concerned with defending against an attacker with the following abilities: <br />
<br />
*The attacker can inject a sequence of bytes into a target web page. <br />
*The attacker can cause the user to visit the target web page.<br />
<br />
We further assume the web developer wishes to prevent the attacker from achieving the following goals: <br />
<br />
*The attacker causes the user's browser, upon viewing the target web page, to send fraudulent HTTP requests carrying the user's authorization credentials to a different web site.<br />
<br />
We assume that the browser properly implements the same-origin policy and does not contain any privilege escalation vulnerabilities.<br />
<br />
= Syntax =<br />
<br />
The XSSModule introduces the following directives: <br />
<pre>directive = "block-xss" / "block-eval" / "script-src"<br />
</pre><br />
<br />
= Semantics =<br />
<br />
This section describes the semantics of the directives introduced in the XSSModule.<br />
<br />
== block-xss ==<br />
<br />
The block-xss directive is designed to be a first line of defense against XSS attacks. &nbsp;The csp-policy contains at least one block-xss directive, the directive(s) have the following effects: <br />
<br />
#The browser MUST NOT execute inline script in the current web page, including inline script elements and inline event handles. <br />
#The browser MUST NOT load external scripts or plug-in objects into the current web page from URLs other than "self", defined above. <br />
#The browser MUST ignore any JavaScript or Data URLs in the current web page.<br />
<br />
The block-xss directive blocks inline script because an XSS attacker can run JavaScript by inject script tags or inline event handlers into the target page. &nbsp;The block-xss directive also blocks loading external scripts and plug-ins from other origins to prevent the XSS attacker from injecting a script tag that loads a malicious script from attacker.com.<br><br />
<br />
== block-eval ==<br />
<br />
The block-eval directive is designed to mitigate DOM-based XSS vulnerabilities caused by indiscriminate use of eval and other eval-like features. &nbsp;If the csp-policy contains at least one block-eval directive, the directive(s) have the following effects:<br />
<br />
#The eval API MUST ignore its arguments and return undefined. <br />
#The setTimeout and setInterval APIs MUST ignore their argument if the first argument is a string (which would otherwise be evaluated after the given delay). <br />
#The&nbsp;Function constructor MUST ignore its arguments if its first argument is a string (which would otherwise by evaluated when the function is called).<br />
<br />
The block-eval directive is not strictly necessary to mitigate reflective or stored XSS vulnerabilities. &nbsp;However, some web developer might find the directive useful as a second line of defense.<br><br />
<br />
== script-src ==<br />
<br />
The script-src directive is design give web developers more fine-grained control over from where their web page can load external script. &nbsp;If the csp-policy contains at least one script-src directive, let the ''effective origin-list'' be the intersection of the set of URLs denoted by all the script-src origin lists. &nbsp;The directive(s) have the following effects:<br />
<br />
#The browser MUST NOT enforce the restrictions on loading external scripts or plug-in objects given by the block-xss directive because the script-src overrides those restrictions with a finer-grained policy. <br />
#The browser MUST NOT load an external script into the current web page unless loading that script respects the effective&nbsp;origin-list. <br />
#The browser MUST NOT load an plug-in object into the current web page unless loading that script respects the effective origin-list.<br />
<br />
In order to mitigate XSS vulnerabilities, the script-src directive SHOULD be used in conjunction with the block-xss directive.<br />
<br />
= Examples =<br />
<br />
TODO: Add some examples.<br />
<br />
= Open Issues =<br />
<br />
This section contains a list of open issues.&nbsp; <br />
<br />
*XBL bindings. &nbsp;We should disable XBL bindings for the block-xss directive, but they are a non-standard feature, so it's unclear how to write normative requirements for them. <br />
*CSS expression. &nbsp;Attackers can also embed script in CSS in IE using CSS expressions. &nbsp;We should figure out how to recommend that this be disabled too.<br />
*Strict MIME type handling for script-src. &nbsp;I'm inclined to leave that for another directive ("strict-types" or some such). &nbsp;The attack vector is pretty obscure. <br />
*Password theft. &nbsp;The XSSModule doesn't help with password theft because the attacker can make a fake password field. &nbsp;I think we should have a separate module targeted at that issue.</div>Mtl