How to stop CSRF exploits?
What changes to the HTTP protocol spec, and to browser behaviour, would be required to prevent dangerous cases of cross-site request forgery?
I am not looking for suggestions as to how to patch my own web app. There are millions of vulnerable web apps and forms. It would be easier to change HTTP and the browsers.
If you agree, please tell me what changes to the HTTP protocol and browser behaviour are needed. Here are my ideas:
– cookies should be declared ‘local’ (default) or ‘remote’
– the browser must not send ‘local’ cookies with a cross-site request
– the browser must never send http-auth headers with a cross-site request
– the browser must not send a cross-site POST or GET ?query without permission
– the browser must report and control attacks, where many cross-site requests are made
– the browser should send ‘Origin: (local|remote)’, even if ‘Referer’ is disabled
– other common web security issues such as XSHM should be addressed in the HTTP spec
– a new HTTP protocol version 1.2 is needed, to show that a browser is conforming
– browsers should update automatically to meet new security requirements, or warn the user