Firefox 3.5 Introduces Origin Header, Security Features
FireFox 3.5 was just released about a half hour ago. You can checkout all the new features for web developers here.
For me, as someone that does a lot of security research one of the most interesting new features is the Origin http header that FireFox 3.5 now sends. The Origin header when your browser makes a request the following types of requests: scripts, stylesheets, form GET & form POST, redirects, XMLHttpRequest (XHR, ajax), and frames.
You may be thinking, ok how is this different than the HTTP Referrer header. First, it only sends the domain name of the page, and second it doesn't have many privacy concerns (so hopefully people won't turn it off).
So how can this improve security?
Web Servers can block requests that send invalid Origin headers, this will mitigate the risk of cross site request forgeries (CSRF), including JSON hijacking for people using browsers that support this feature.
You can read more about the origin header here.
Tweet
add to del.icio.us
| Tags: firefox, origin, header, http, security, csrf, json, ajax
Related Entries
- Ajax Same Origin Policy No More with Firefox 3.5 - June 30, 2009
- Firefox Now Supports HttpOnly Cookies - July 19, 2007
- HTTP Strict Transport Security - September 17, 2010
- Cross Domain Data Theft using CSS - July 21, 2010
- Prefix Serialized JSON in ColdFusion - October 20, 2009
Trackbacks
Comments
Can you confirm if does such a header can be forged?
Ronan
I have been working with this and am having a lot of trouble with pre-flighted requests. The reason being is that the preflighted request first sends a request to the server (via the OPTIONS method) and expects headers back that indicate if the request can continue. But I can not get IIS6 to pass the OPTIONS request to Cold Fusion.
Have you tried this? The only way I could get it to work was configure the headings in IIS. But thats no good since they are being returned on every request, and I want to use CF to do some verification of the request origin etc. Any ideas?
Post a Comment
Recent Entries
- Nginx redirect www to non www domain
- HashDOS and ColdFusion
- HackMyCF Updated for APSB11-29 Security Hotfix
- Adobe eSeminar on FuseGuard
- Determining Which Cumulative Hotfixes are Installed on ColdFusion
- Adding Two Factor Authentication to ColdFusion Administrator
- ColdFusion Developer Week at Adobe.com
- Bug Loading Scripts for CFFileUpload and CFMediaPlayer
