Lightweight Server Support for Browser-Based CSRF Protection
Cross-Site Request Forgery (CSRF) attacks are one of the top threats on the web today. These attacks exploit ambient authority in browsers (e.g., cookies and HTTP authentication state), turning them into confused deputies and causing undesired side effects on vulnerable web sites. Existing defenses against CSRFs fall short in their coverage and/or ease of deployment. In this paper, the authors present a browser/server solution, Allowed Referrer Lists (ARLs) that addresses the root cause of CSRFs and removes ambient authority for participating web sites that want to be resilient to CSRF attacks.