Adam Barth wrote:
On Thu, Oct 22, 2009 at 9:52 AM, Mike Ter Louw <mter...@uic.edu> wrote:
I agree. It seems anti-csrf (as currently defined) would be most beneficial
for defending against CSRF attacks that don't require any user action beyond
simply viewing the page (e.g., <img src="attack">).
Maybe we should focus the module on this threat more specifically. My
understanding is that this is a big source of pain for folks who
operate forums, especially for user-supplied images that point back to
the forum itself. What if the directive was something like
"cookieless-images" and affected all images, regardless of where they
were loaded from?
I think this is a good start, and should be an option for sites that
don't want CSP to provide any other CSRF restrictions. I've added an
additional directive to the wiki, but it needs further definition.
Mike
_______________________________________________
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security
