The Spanner logo

    CSRF browser protection

    Back to articles

    hackvertor

    Author:

    Gareth Heyes

    @hackvertor

    Published: Mon, 19 Nov 2007 09:45:42 GMT

    Updated: Sat, 22 Mar 2025 15:38:07 GMT

    I like the topic of CSRF because it's such a difficult problem to solve, I was thinking about ways a browser can prevent CSRF and I've come up with the following solutions:-

    1. After a domain name any image/object/frame etc request is truncated by a user definable setting.

    Limiting the amount of data an attacker can use helps provide damage limitation or makes it more difficult for an attacker to inject malicious code. Of course a determined attackers can always find ways around these limitations but making their life more difficult is always good.

    2. Any image/object/frame url containing & or ? characters is flagged for user confirmation before the item is loaded.

    Normal images/frames rarely need these characters for normal operations and most CSRF attacks do so it makes sense to block/confirm these requests. Some web sites user dynamic images, in this case I would suggest a per domain allow/deny option.

    3. Any script generated object that performs a request always requires user authorisation.

    Again this is another good defensive measure because forms/iframes etc can be dynamically created and hidden from the user, requiring confirmation can alert the user of something nasty going on.

    4. Window name and other named objects/values should be truncated to prevent hidden data being passed across domains.

    For the same reason as mentioned item 1, this is another good security measure.

    5. All moz binding and CSS expressions require user confirmation before executing.

    More often than not this functionality would be used for bad and it makes sense for the user to confirm these requests or deny them completely.

    6. Malicious keyword matching

    Some web sites use "pretty" urls which allow get parameters to be sent using slashes etc, even worse these sites perform operations through the GET request which normally should be reserved for POST in this case a browser could check that certain keywords aren't used within the URL for example action=delete in iframes/images/objects.

    Of course any of these features could impact on the browsing experience but to provide better security you sometimes have to sacrifice some features. Any other suggestions are welcome or problems with my suggestions.

    Back to articles