How secure is HTTP_ORIGIN?
I want to find out whether an incoming HTTP_REQUEST call from a third party website is coming from the list of domains that I defined.
I know that HTTP_REFERER can be used to find out where the third party domain is, but it is not secure enough. People can spoof it or use Telnet to fake it.
So, how about HTTP_ORIGIN? Is it sent from all browsers? Is it secure?
Also, can people fake the REMOTE_ADDR in a HTTP_REQUEST call?
Solution 1:
HTTP_ORIGIN is a way to protect against CSRF (Cross Site Request Forgery) requests. Currently it is implemented only by Chrome (as of Nov 2011). I tested Firefox and Opera, but they failed.
Its name in the request header is Origin. On the server in my PHP script I see it as HTTP_ORIGIN in the $_SERVER array. This header is sent only in some cases, when protection against CSRF is required (only POST should be sufficient). Here is list of all requests whether it is set or not:
https://wiki.mozilla.org/Security/Origin
- Anchor tag - NO
- Window navigation - NO
- IMG - NO
- iframe, embed, applet - YES
- Form (GET and POST) - YES
- SCRIPT - YES
- stylesheets - NO
- dependent loads from stylesheets - NO
- Redirects - YES
- XHR - YES
The Origin header is implemented only in Chrome, unfortunately. It was announced first in January 2010 on Google Chrome's blog:
http://blog.chromium.org/2010/01/security-in-depth-new-security-features.html
CSRF Protection via Origin Header
The Origin header is a new HTML5 feature that helps you defend your site against cross-site request forgery (CSRF) attacks. In a CSRF attack, a malicious web site, say attacker.com, instructs the user's browser to send an HTTP request to a target server, say example.com, that confuses the example.com server into performing some action. For example, if example.com is a webmail provider, the CSRF attack might trick example.com into forwarding an email message to the attacker.
The Origin header helps sites defend against CSRF attacks by identifying which web site generated the request. In the above example, example.com can see that the request came from the malicious web site because the Origin header contains the value http://attacker.com. To use the Origin header as a CSRF defense, a site should modify state only in response to requests that either (1) lack an Origin header or (2) have an Origin header with a white-listed value.
I am just implementing CSRF protection in my PHP script, I personally use Chrome, so that is sufficient for me, I hope other browsers will catch up with Chrome soon.
What is funny is that Mozilla invented that security feature, as you can read lots of documentation of that Origin header on its website, but they still didn't have time to implement it ;-)
HTTP_ORIGIN seems to contain only protocol and domain, without slash at the end:
"http://www.example.com" - even if you submit the form from "http://www.example.com/myform/".
A simple protection against CSRF in PHP script:
if ($_SERVER['REQUEST_METHOD'] == 'POST') {
if (isset($_SERVER['HTTP_ORIGIN'])) {
$address = 'http://'.$_SERVER['SERVER_NAME'];
if (strpos($address, $_SERVER['HTTP_ORIGIN']) !== 0) {
exit('CSRF protection in POST request: detected invalid Origin header: '.$_SERVER['HTTP_ORIGIN']);
}
}
}
This script could still be upgraded to support PORT other than 80 (Origin contains the port when it's different than 80), HTTPS connections, and submitting the forms from different subdomains (ex. sub.example.com => posting request to www.example.com).
Solution 2:
HTTP_ORIGIN is neither sent by all browsers nor is it secure.
Nothing sent by the browser can ever be considered safe.
Solution 3:
People here are thinking about this all wrong -- the 'CORS' standard isn't so the server doesn't get hacked, even if it helps that in addition to what it does. The purpose is to allow 'THE BROWSER' to have a way of easing up on requests that go against the same origin policy. If the client and the server are on the same page, then the 'CLIENT' can decide whether or not to allow the request.
Obviously by having the server participate in the decision you are helping in the security process.
But it won't protect the server from unauthorized access - that is what passwords and cookies are for.
The client can be (as someone mentioned) a telnet tool, where every single thing crafted is fake.
But one of Chrome's, and FF's, etc, selling points is that they will help you by not allowing Javascript to go outside of the same origin sandbox, which means the only thing by default that can be compromised is the stuff that is on the 'attackers' own website. Or other sites that decide to not be secure.
CORS is the technology that allows you to say -- hey, I want users to be able to consume my snazzy service from the javascript on this other site they use. So I'm gonna add this site to my exceptions. Which means you are helping your authorized users poke a hole in their browser security for that particular site. Which means a hole that a hacker can exploit. Thus the care with which you set up the service, right?
This means that any site that doesn't have CORS set up is by default secure from Cross Site Scripting from a compliant browser (barring bugs and hacks of course). The browser will ask if this service wants to participate in the origin site's javascript, and if the cross site says "I don't know nothing about this damn site", then the browser's javascript engine will close the connection and dump the data.
So just to summarize -- CORS doesn't help you make thing secure. It helps you make a hole in your browsers ability to make a user more secure. But hopefully in a managed way.. and only for particular sites..