0

Excluding the same origin policy that all major browsers have and the syncrhronised token pattern (would be a pain in the ass to tokenise all requests), how would you check if the request is sent directly from my user interface and not through a third party.

For example , sending a request from an iframe to youtube (by that i mean the src=... not xmlhttprequest object), the response would be a blank page (how do they do it?) , send a request to facebook ajax.hovercard (its a simple get content request) from an iframe , adress bar will also give you a blank page (no content). SO response is normal content from an iframe request .

Like i said before how would you check (preferably some server side code) if the request is coming from a trusted source?

P.S. : Don't rely on headers , idk why origin im not receiving from requests , altho i see they all implemented the origin header in all major browsers . Refereer can be modified by some ati spyware programs . And anyway the headers can't really be trusted. But yes that showld be a layer for checking.

hakre
  • 193,403
  • 52
  • 435
  • 836
Cata Cata
  • 166
  • 1
  • 9

2 Answers2

0

Check $_SERVER['HTTP_REFERER'] and see if it's coming from your own site.

Niet the Dark Absol
  • 320,036
  • 81
  • 464
  • 592
0

You can't really be sure of the origin of the user. The user agent can be spoofed easily. I think you can create some csrf tokens in your user interface and allow only clients that have those tokens

Vlad Balmos
  • 3,372
  • 19
  • 34
  • yeah that's what i was afraid about , can't find any other easyer solutions – Cata Cata Apr 06 '12 at 09:42
  • csrf protection is relative easy to implement. For each user's session create a token, store it in a cookie and also append the token for each user's action (POST, GET). if the tokens passed in the http request is equal to the token from the cookie then the user is legit. Of course this can be faked as well if an attacker knows how you created the token. – Vlad Balmos Apr 06 '12 at 09:45
  • synchroniser token pattern can't be faked with a long and radom token . and by cookie i hope i mean session variable . – Cata Cata Apr 06 '12 at 09:58