Y
Hacker News
new
|
ask
|
show
|
jobs
by
sdevlin
5188 days ago
It's not that the referer header is not "enough". "Enough" implies that it falls somewhere on the scale of trustworthiness.
It's user input. Don't trust user input.
1 comments
eurleif
5188 days ago
Why shouldn't you trust user-provided data to secure the same user's data? The potential attack is someone forging their own referer header in order to attack themself.
link
sdevlin
5188 days ago
The referer header can easily be forged. The whole point of a CSRF attack is to turn a user's credentials against him.
link
eurleif
5188 days ago
How do you forge the referer header as a third-party site?
link
sdevlin
5188 days ago
Ha, I'm wrong. I thought you could set the referer with setRequestHeader on an XHR. Mea maxima culpa.
link