I am new to web security, and when I read more about different attack vectors, my mind is afraid that they are allowed in the first place. It, like the web, was designed with a compromised security model and be vulnerable.
All right. Firstly, it was never intended to be safe. The web interface was originally designed as a static document management and sharing system that allows direct linking to resources on different machines.
The dynamic website you see today is kludge. We can fix this with CSRF tokens, HTTP headers, etc., but if you make a dynamic website without any of these actions, then the likelihood is that it is vulnerable (and keeps people like me on work).
View your story on the Wikipedia article .
I am also amazed at the amount of vague and inaccurate information. For example, at first the simple origin policy sounds good, then I read that this applies only to XHR, and by the way, and by the way, it doesnโt actually prevent the POST from sending XHR cross origin, which is a classic CSRF attack. Glad I read.
And basically it's true. A policy of the same origin also applies to windows and frames (for example, example.com cannot modify the contents of example.org using JavaScript if example.com includes an IFrame in example.org). Yes, the XHR cross-domain can be executed, but without CORS enabled, responses cannot be read. This protects the CSRF tokens from theft, but as you say, if you do not use CSRF protection, this means the CSRF is vulnerable.
Other protections, such as adding a custom header , can be used to mitigate CSRF, as custom headers cannot be sent cross-domain.
XHR did not have access to anything cross-domain, which was considered too big a restriction, therefore, the emergence of CORS. Previously, since forms could access different domains, this was not considered a particularly risky maneuver. It still does not work, provided that appropriate control measures are implemented.
There is also an Origin header, which the server can use to ensure the request comes from the right place - but, unfortunately, it is installed inconsistently in browsers, and if it is NOT installed, you cannot absolutely correctly if it was due to a request with one the same incident or request type that just didnโt receive it for certain browsers (maybe an IMG tag?). Keep reading.
That's right. See this answer .
why does the browser send the session cookie to the request, which comes from a page that is not the source of the cookie?
Because many things would break otherwise. There are many forms that are designed to be sent from static sites to dynamic sites that perform reverse processing.
There is a new standard for "single site" cookies . A less dry explanation is here .
Mostly cookies can be set with the new SameSite attribute. In strict mode, cookies are not sent when the source is different. In lax mode, they are saved only if this method is, for example, POST, which mainly contains CSRF vulnerabilities.
The one you contacted was an early project of this.