tor weather subscription problem
tor at lists.grepular.com
tor at lists.grepular.com
Tue Feb 1 09:57:45 UTC 2011
On 01/02/2011 07:40, Scott Bennett wrote:
> I just tried to sign up for the "tor weather" email service. Clicking
> on the subscribe button after entering the information requested in various
> places earlier on the page yielded,
>
> Forbidden (403)
>
> CSRF verification failed. Request aborted.
>
> You are seeing this message because this HTTPS site requires a 'Referer header' to be sent
> by your web browser, but none was sent. This header is required for security reasons, to
> ensure that your browser is not being hijacked by third parties.
>
> If you have configured your browser to disable 'Referer' headers, please re-enable them, at
> least for this site, or for HTTPS connections, or for 'same-origin' requests.
>
> More information is available with DEBUG=True.
As a web developer who has discovered and defended against CSRF in the
past, I feel I should express my opinion here. You should only use HTTP
referrers to prevent CSRF as a quick fix whilst a proper system is put
in place. A better way would be to embed a session ID in the form, pass
it in the POST data, and then compare it against the session id on the
server side.
--
Mike Cardwell https://grepular.com/ https://twitter.com/mickeyc
Professional http://cardwellit.com/ http://linkedin.com/in/mikecardwell
PGP.mit.edu 0018461F/35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20110201/18a2fd8b/attachment.pgp>
More information about the tor-talk
mailing list