SameOriginOnly

Web security is horribly broken. No news there. Some time ago I proposed SameRefererOnly as a potential solution to the problems of CSRF. This is a quick update in what's happening with the proposal.

Recap: I think we could adapt an idea like HttpOnly to tackle CSRF - The original idea was to have a "SameRefererOnly" marker for cookies. It would be an indication that a cookie should only be sent to a Site when the referring domain matches the destination domain.

As a result of this paper on Login CSRF, it seems that several browser manufacturers would like to implement the Origin: header. The Origin header is very similar to the Referer header, except that it does not contain the full URL. Referer checking is no use against CSRF attacks because many proxies remove it for privacy reasons, and an attacker can force it's removal by redirecting through an FTP URL (see the paper for details). So both default deny and default allow are broken.

Whilst the Origin header does help, I'm not convinced that it is a complete solution. Firstly it depends on privacy concerns being all about the path of a URL and not the domain. I'm not convinced that's correct. Secondly it still requires action (i.e. Origin header checking) on the part of the server.

So I still believe that the original idea makes sense, however in deference to the obvious (semi-deliberate) spelling mistake, and a growing belief that 'Origin is the new Referer', I'm now calling it SameOriginOnly, otherwise the basic ideas are the same as they were originally.

Mark Goodwin has created a FireFox plugin that allows Firefox to obey the principles behind SameOriginOnly, and I've done a very quick hack on Jetty that allows it to emit cookies marked SameOriginOnly when you ask it for an HttpOnly cookie. Both are a work in progress.