1

I have to design an API that will support browser plugins only (latest version of Chrome, Firefox, IE). The API will be served over HTTPS. The API will be using a cookie-based access control scheme.

I am wondering what tactics to employ for CSRF prevention. Specifically, I want my API only to get requests from my own browser plugin itself and not from any other pages/plugins.

Would I be able to:

  • Assume that in most cases there would be an Origin header?
  • Would I be able to compare and trust the Origin header to ensure that the requests only come from a white-listed set of Origins?
  • Would this be compatible across the board (Chrome/Firefox/IE)?

I'm aware of multiple techniques used to prevent CSRF, such as the Synchronizer Token Pattern, but I would like to know in my limited scope above, if simply checking the Origin header would be sufficient?

Thanks in advance!

H.M.
  • 69
  • 6
  • Any request header can easily be faked. If your users can authenticate via your "cookie-based access control scheme", do you really care what client they used to get there? – David Jun 04 '14 at 21:53

1 Answers1

2

Set a custom header like X-From-My-Plugin: yes. The server should require its presence. It can be a constant. A web attacker can either:

  1. make the request from the user's browser: this sends the cookie, but they can't send the custom header cross-origin; or
  2. make the request from a different HTTP client: they can send the custom header, but they can't send the cookie because they don't know it

Either way, the attacker's request won't have both the cookie and the custom header.

guest
  • 6,450
  • 30
  • 44
  • Would this work on Firefox? As far as I'm aware, Firefox [doesn't have](https://developer.mozilla.org/en-US/docs/Web/API/XMLHttpRequest#Permissions) the granular [per-domain](https://developer.chrome.com/extensions/xhr#requesting-permission) permission model that Chrome has. So with Firefox, is it my understanding that the browser will not allow a custom domain to be set and will force the client to do a pre-flight request? – H.M. Jun 05 '14 at 07:06
  • There's not as clear of a concept of "other extensions" in Firefox, since all extensions and the browser itself are part of the same security principal with full privileges. – guest Jun 05 '14 at 21:39