#33 Implement Origin header CSRF mitigation

Open
opened 6 months ago by mattatobin ยท 0 comments

This may be a key part of the mechinisms tested to determine a "modern" web client in Cloudflare's Browser Integrety Check. Though public outcry has finally caused CF to change what they pulled on everyone.. It may later require this again. Not to mention other bits of bs.

Still, the initial implementation at least when set to 1 is likely safe according to our peers at the SeaMonkey Project. 2 likely won't be until more control over a ReferrerPolicy is ported with all the refactoring that requires and THEN follow-ups to get 2 going could be done.

We will have to see how this goes on both the code side and the Cloudflare side.


Mozilla Bug 446344
Gecko-dev Commit

This may be a key part of the mechinisms tested to determine a "modern" web client in `Cloudflare`'s Browser Integrety Check. Though public outcry has finally caused CF to change what they pulled on everyone.. It may later require this again. Not to mention other bits of bs. Still, the initial implementation at least when set to `1` is likely safe according to our peers at the SeaMonkey Project. `2` likely won't be until more control over a `ReferrerPolicy` is ported with all the refactoring that requires and THEN follow-ups to get `2` going could be done. We will have to see how this goes on both the code side and the `Cloudflare` side. ---- Mozilla [Bug 446344](https://bugzilla.mozilla.org/show_bug.cgi?id=446344) Gecko-dev [Commit](https://github.com/mozilla/gecko-dev/commit/5d8fa6f3518f8e3edc7bed4a9af9b3c23c59d73a)
Sign in to join this conversation.
No Milestone
No assignee
1 Participants
Loading...
Cancel
Save
There is no content yet.