15
edits
Security/CSP/CSRFModule: Difference between revisions
→Open Issues
(Created page with '= Overview = This document defines the CSRFModule, which contains the cross-site request forgery mitigations. The CSRFModule lets web developers mitigate CSRF attacks by disabli…') |
|||
| Line 59: | Line 59: | ||
This section contains a list of open issues. | This section contains a list of open issues. | ||
*The attacker could bypass the defense by hyperlinking to attacker.com, which isn't using CSP, and then submit the CSRF request from there. | |||
*The list of HTTP requests where <tt>Cookie</tt> header is allowed to be sent must be exhaustive. | *The list of HTTP requests where <tt>Cookie</tt> header is allowed to be sent must be exhaustive. | ||
*The CSP policy should be allowed to contain URI that are excepted from <tt>anti-csrf</tt> restrictions. | *The CSP policy should be allowed to contain URI that are excepted from <tt>anti-csrf</tt> restrictions. | ||