On Sun, 2010-04-04 at 13:07 +0300, Eddy Nigg wrote: > On 04/04/2010 07:44 AM, Matt McCutchen: > > Such configurations are uncommon, but they are not intrinsically > > unreasonable. Sites that put parameters in URI path components are > > likely to keep the same approach for their write requests. For example, > > but for Launchpad's refusal of client-initiated renegotiation, it would > > be vulnerable to a request to subscribe to one bug being changed to a > > different bug. (Note that they use the Referer, not a token for XSRF > > protection.) > > > > Which is simply another user input (modifiable by the user).
That's irrelevant. The Referer is an effective XSRF defense because a malicious site cannot spoof a Launchpad referrer when sending a request to Launchpad. See this article, section 4.2, conclusion #1: http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.140.2584&rep=rep1&type=pdf -- Matt -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
