Published 18 years 6 months ago • Last updated March 22, 2025 • ⏱️ 2 min read
I like the topic of CSRF because it's such a difficult problem to solve, I was thinking about ways a browser can prevent CSRF and I've come up with the following solutions:-
Limiting the amount of data an attacker can use helps provide damage limitation or makes it more difficult for an attacker to inject malicious code. Of course a determined attackers can always find ways around these limitations but making their life more difficult is always good.
Normal images/frames rarely need these characters for normal operations and most CSRF attacks do so it makes sense to block/confirm these requests. Some web sites user dynamic images, in this case I would suggest a per domain allow/deny option.
Again this is another good defensive measure because forms/iframes etc can be dynamically created and hidden from the user, requiring confirmation can alert the user of something nasty going on.
For the same reason as mentioned item 1, this is another good security measure.
More often than not this functionality would be used for bad and it makes sense for the user to confirm these requests or deny them completely.
Some web sites use "pretty" urls which allow get parameters to be sent using slashes etc, even worse these sites perform operations through the GET request which normally should be reserved for POST in this case a browser could check that certain keywords aren't used within the URL for example action=delete in iframes/images/objects.
Of course any of these features could impact on the browsing experience but to provide better security you sometimes have to sacrifice some features. Any other suggestions are welcome or problems with my suggestions.