On Sun, 2010-04-04 at 14:06 +0300, Eddy Nigg wrote: > On 04/04/2010 01:49 PM, Matt McCutchen: > >> Which is simply another user input (modifiable by the user). > >> > > That's irrelevant. The Referer is an effective XSRF defense because a > > malicious site cannot spoof a Launchpad referrer when sending a request > > to Launchpad. > > > > Huuu? And why not?
How would it? What HTML / JavaScript could https://evil.com use to get my browser to issue a malicious request to https://launchpad.net with a referrer of https://launchpad.net ? > Where exactly? I haven't see that this information is not subject to > user modification. You are still missing the point. The user can modify the referrer header, sure, but the attack site that wishes to forge a cross-site request cannot (unless the user specifically modified the browser to allow that, which would be foolish). -- Matt -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
