1

I guess my true questions is why do you need csrf token and SOP (strict CORS policy isn't enough).

CSRF: when evil.com makes request to bank.com/logout

If evil.com does it through XHR, then browser will simply give Cross origin error as server has strict CORS policy.

If person does curl request than there is no point since they don't have the cookie session data to perform action with.

...now this is my understanding that requests made by tags like form, img, script, and some meta tags aren't blocked by browser even if request is to different origin.

So is cookie data sent with these requests, and server can still see referrer/Origin headers. If so...

then in won't that be enough to prevent any CSRF attack as server knows wether request was made from right site or not.

Muhammad Umer
  • 715
  • 7
  • 10
  • Possible duplicate of [How does CSRF correlate with Same Origin Policy](https://security.stackexchange.com/questions/157061/how-does-csrf-correlate-with-same-origin-policy), [How are Ajax requests vulnerable to CSRF attacks if the Same-origin policy is applied?](https://security.stackexchange.com/questions/58755/how-are-ajax-requests-vulnerable-to-csrf-attacks-if-the-same-origin-policy-is-ap). – Steffen Ullrich Oct 19 '17 at 07:10
  • linked question neither asks nor answers tell why server can't simply ignore requests with different origin/referrer header. It just says the browser doesn't let you read the response, and request is still made. Very useful point but different – Muhammad Umer Oct 19 '17 at 07:23
  • @SteffenUllrich if that's unclear let me know – Muhammad Umer Oct 19 '17 at 07:24
  • *enough to prevent any CSRF attack as server knows wether request was made from right site or not.* - of course the point in preventing cross-site request forgery is to know if this is a cross-site request in the first place. If it is a same-site request it cannot be a CSRF attack per definition of what CSRF is. – Steffen Ullrich Oct 19 '17 at 07:33
  • See also [Is checking the Referer and Origin headers enough to prevent CSRF, provided that requests with neither are rejected?](https://security.stackexchange.com/questions/158045/is-checking-the-referer-and-origin-headers-enough-to-prevent-csrf-provided-that). – Steffen Ullrich Oct 19 '17 at 07:35
  • that link furthers the confusion... from there: OSWAP recommends using CSRF token in addition to headers, and accepted answer say yes rejecting any request without header or wrong header is safe – Muhammad Umer Oct 19 '17 at 07:44
  • The accepted answer there is correct. The additional answer has a vote count of 0 and an upvoted comment which questions this answer. There should be no confusion if you just follow what is accepted and what is up-voted. – Steffen Ullrich Oct 19 '17 at 08:22
  • part of my question was about img tag and post requests, now based on that answer if i were to simply reject all requests with bad or missing origin/referrer header then post, script and img tag wont work. as usually header is not sent, at least for img request. – Muhammad Umer Oct 19 '17 at 15:01
  • *... as usually header is not sent, at least for img request..* - first, that's not true. Second: CSRF checks are only needed for resources which can have unwanted effects. Any URLs which can not have bad effects in the first place need not to be CSRF protected. – Steffen Ullrich Oct 19 '17 at 15:55

0 Answers0