I was wondering how can a server or script identify if a request is from
page, iframe or xhr?
Doing this would not prevent any XSS attacks, but it would allow a
server/server-side script to detect a potential XSS attack.
I could not find any mention of any reliable way to do this currently.
Here is an example of this idea, when the browser fetches the page the
server sends this as a response header to the browser...
RRS: *
or
RRS: url
or
RRS: iframe
or
RRS: script
And when the browser do a POST it will send one of these (if the server
sent a RRS header) ...
RRS: url
or
RRS: iframe
or
RRS: script
RRS is short for "Report Request Source/Reported Request Source".
"url" indicate that the request source was a form on the page of the
requested url.
"iframe" indicate that the request source was from within a iframe on
the page of the requested url.
"script" indicate that the request source was from a script (via xhr) on
the page of the requested url.
If a server (or server script) is only expecting a POST from the page
but get a RRS result of iframe or script then this could be logged and
reported to the server security supervisor for review.
The server sending "RSS: *" indicate that the request should be allowed
but reported (might be nice for debugging as well).
If it is "RSS: url" then any requests from a iframe or a script would be
denied/blocked by the browser (blocking two methods of making a POST)
Now if there exist another way to achieve the same and I just haven't
found it I'd appreciate if someone pointed me in the right direction.
I'm also a bit unsure what working group (pun intended) a suggestion
should be directed to if this does not exist yet.
--
Roger Hågensen, Freelancer, http://skuldwyrm.no/