TOC |
|
This Internet-Draft is submitted to IETF in full conformance with the provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as “work in progress.”
The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html.
This Internet-Draft will expire on February 1, 2010.
Copyright (c) 2009 IETF Trust and the persons identified as the document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents in effect on the date of publication of this document (http://trustee.ietf.org/license-info). Please review these documents carefully, as they describe your rights and restrictions with respect to this document.
This document defines the HTTP Sec-From header. The Sec-From header is added by the user agent to describe the security contexts that caused the user agent to initiate an HTTP request. HTTP servers can use the Sec-From header to mitigate against Cross-Site Request Forgery (CSRF) vulnerabilities.
1.
Introduction
2.
Origin
3.
Comparing Origins
4.
Serializing Origins
4.1.
Unicode Serialization of an Origin
4.2.
ASCII Serialization of an Origin
5.
User Agent Behavior
6.
HTTP Server Behavior
7.
Privacy Considerations
8.
Security Considerations
9.
IANA Considerations
10.
TODO
§
Authors' Addresses
TOC |
This document describes the HTTP Sec-From header. The Sec-From header identifies the security contexts that caused the user agent to initiate an HTTP request. HTTP servers can mitigate cross-site request forgery vulnerabilies by accepting requests only if the Sec-From header contains only white-listed origins.
TODO: Discuss other CSRF defenses.
TOC |
The following algoritm MUST be used to compute the origin of a URI.
Implementations MAY define other types of origins in addition to the scheme/host/port tuple type defined above. (For example, user agents could implement globally unique origins or certificate-based origins.)
TOC |
Implementations MUST use the following algorithm to test whether two origins are the "same origin".
TOC |
TOC |
Implementations MUST using the following algorithm to compute the Unicode serialization of an origin:
(i.e., the code point sequence U+006E, U+0075, U+006C, U+006C) and abort these steps.null
TODO: Check that we handle IPv6 literals correctly.
TOC |
Implementations MUST using the following algorithm to compute the ASCII serialization of an origin:
(i.e., the code point sequence U+006E, U+0075, U+006C, U+006C) and abort these steps.null
TOC |
Whenever a user agent issues an HTTP request, the user agent MUST include exactly one HTTP header named "Sec-From" that conforms to the following ABNF [RFC5234] grammar:
sec-from = "sec-from" ":" 1*WSP [ "null" / origin-list ] origin-list = serialized-origin *( "," 1*WSP serialized-origin ) serialized-origin = scheme "://" host [ ":" port ] ; <scheme>, <host>, <port> productions from RFC3986
Whenever a user agent would send a Sec-From header containing two consecutive, idential origin serializations, the user agent MAY remove one such origin serialization from the header.
Whenever a user agent issues an HTTP request from a "privacy-sensitive" context, the user agent MUST send the value "null" in the Sec-From header.
If /B/ is the Request-URI in the Request-Line of an HTTP request, then the associated HTTP response is an "HTTP redirect from URI /B/" if the response contains a 3xx Status Code (all terms RFC2616).
Whenever a user agent issues an HTTP request to URI /A/ as a result of an HTTP redirect from URI /B/, the user agent MUST either:
Whenever a user agent issues an HTTP request that (1) is *not* the result of an HTTP redirect and (2) is *not* initiated from a "privacy-sensitive" context, the user agent SHOULD set the value of the Sec-From header to the ASCII serialization of the origin that initiated the HTTP request.
Note: This behavior differs from that of the HTTP Referer header, which user agents often suppress when an origin with an "https" scheme issues a request for a URI with an "http" scheme.
TOC |
HTTP Servers MAY use the Sec-From header to "defend themselves against CSRF attacks." Such servers are known as "participating servers" in this section.
Let the /origin white list/ of a participating server be a set of strings selected by the operator of that server.
The string "null" MUST NOT be a member of the /origin white list/ for any participating server.
Example: The origin white list for the example.com Web server could be the strings "http://example.com", "https://example.com", "http://www.example.com", and "https://www.example.com".
A participating server MUST use the following algorithm when determining whether to modify state in response to an HTTP request:
Example: A Web server could modify state in response to POST requests that lack an Sec-From header (because these requests are sent by non-supporting user agents) and could modify state in response to POST requests that have an Sec-From header of "http://example.com", "https://example.com", "http://www.example.com", or "https://www.example.com".
TOC |
This section is not normative.
The Sec-From header improves on the Referer header by respecting the user's privacy: The Sec-From header includes only the information required to identify the principal that initiated the request (typically the scheme, host, and port of initiating origin). In particular, the Sec-From header does not contain the path or query portions of the URI included in the Referer header that invade privacy without providing additional security.
The Sec-From header also improves on the Referer header by not leaking intranet host names to external web sites when a user follows a hyperlink from an intranet host to an external site because hyperlinks generate privacy-sensitive requests.
TOC |
This section is not normative.
Because a supporting user agent will always include the Sec-From header when making HTTP requests, HTTP servers can detect that a request was initiated by a supporting user agent by observing the presence of the header. This design prevents a malicious web site from making a supporting user agent appear to be a non-supporting user agent. Unlike the Referer header, which is absent when suppressed by the user agent, the Sec-From header takes on the value "null" when suppressed by the user agent.
In some legacy user agents, The Sec-From header can be spoofed for same-site XMLHttpRequests. Sites that rely only on network connectivity for authentication should use a DNS rebinding defense, such as validating the HTTP Host header, in addition to CSRF protection.
TOC |
TODO: The "Sec-From" header should be registered.
TOC |
Think about how this interacts with proxies.
Think about how this interacts with caches.
TOC |
Adam Barth | |
University of California, Berkeley | |
Email: | abarth@eecs.berkeley.edu |
URI: | http://www.adambarth.com/ |
Collin Jackson | |
Stanford University | |
Email: | collinj@cs.stanford.edu |
URI: | http://www.collinjackson.com/ |
Ian Hickson | |
Google, Inc. | |
Email: | ian@hixie.ch |
URI: | http://ln.hixie.ch/ |